---------- Forwarded message ---------- From: Najmi <[email protected]>
----- Forwarded message ----- From: "Tim Lott" <[email protected]> Date: Thu, Oct 28, 2010 1:04 am Subject: [apwg] Website Sidejacking To: "[email protected]" <[email protected]> Apologize for the cross posting Many of you have probably heard in the news about the new add-on for Firefox called Firesheep. This add-on makes it incredibly easy to sidejack non-‘HTTPS’ log in sites (for example Facebook and Twitter) if you connect to them over an open wireless network. While the ability to sidejack is nothing new this add-on makes it feasible for anyone to do it with one click. No programming or “hacker skills” are needed. As of this morning this add-on has been downloaded over 312,000 times and has only been available since Sunday. We know many of you have personal Facebook accounts and wanted to get this information to you as soon as possible. The takeovers can occur if you connect to an open wireless network (such as a coffee shop, the airport, or a hotel) and then log in to your accounts. All Internet browsers and mobile Internet browsers as well as Facebook and Twitter apps for iPhone and iPad are susceptible to this vulnerability. In Facebook the sidejackers can access all areas of your profile, send messages as you, intercept chat messages, read Facebook emails and change privacy settings, but the one thing that they are unable to do is to change your password. In Twitter the sidejackers can tweet as you, send direct messages as you, view all of your twitter direct messages and can change certain setting including deleting the current phone number and adding a new one. Other websites are also affected, but not to this degree of vulnerability. The developer states that he will be adding more websites soon. The complete list of websites can be found at http://github.com/codebutler/firesheep/wiki/Handlers. We have tested this add-on using Facebook, Twitter, Google, Yahoo, Foursquare, Tumblr, Yelp, and Amazon. Each website was able to be accessed with varying levels of success. For example in Amazon you can view the Wishlist, but not make purchases or change settings. In Yahoo you can preview the most recent email, but not read the full body and you can view the yahoo messenger contact list, but not chat. In Google you can view the full contact list (including phone contacts if the Gmail account is synced to the Droid), but not view emails or change settings. By far the most functionality is gained through Facebook, Twitter, Foursquare and Tumblr in our testing. The best way to protect yourself from this attack is to not connect to open wireless and log in to any accounts. However we know that this is not always feasible. If you are going to connect to open wireless networks and log in to these accounts use an ‘HTTPS’ log in (for example type https:\\ facebook.com rather than http:\\facebook.com). If you use the Firefox Internet browser there is an add-on you can download that will automatically direct you to all ‘HTTPS’ log in’s so you don’t have to remember. It can be downloaded at https://www.eff.org/https-everywhere. We have not done any extensive testing of this add-on and users download it at their own risk. ‘HTTPS’ log ins are not possible with iPhone and iPad apps so there is no way to protect yourself when using those devices connected to open wireless. If you connect on these devices through the 3G connection you are protected. If you have open wireless at your residence you are also susceptible. Once again we know that this is not a new concept for open wireless networks. Hackers have always had the ability to obtain this information. The scary part is how incredibly easy Firesheep makes this attack for the everyday computer user. It is literally one click to obtain this information. In addition this add-on combined with anyone who has hacker skills could easily gain even more information about users. It is important for law enforcement to know not only for your personal safety, but also for the implications in cases involving stalking, cyber-bullying, harassment, blackmail, identity theft, etc. Because the sidejacking takes place on an open wireless network it would extremely difficult to locate the person who actually posted the information. If you have any questions don’t hesitate to contact myself or Lauren Wagner ([email protected]) as we have been conducting tests on this vulnerability and will continue to do so. Thanks *Timothy M. Lott * High Tech Crime Training Specialist SEARCH, The National Consortium for Justice Information and Statistics Desk: 916.392.2550, ext. 209 Cell: 916.205.5213 Email: [email protected]
_______________________________________________ Owasp-Malaysia mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-malaysia OWASP Malaysia Wiki http://www.owasp.org/index.php/Malaysia OWASP Malaysia Wiki Facebook http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
