When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a “cookie” which is used by your browser for all subsequent requests.
It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking”) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.
This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new “privacy” features in an endless attempt to quell the screams of unhappy users, but what’s the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.
Today at Toorcon 12 I announced the release of Firesheep, a Firefox extension designed to demonstrate just how serious this problem is.
After installing the extension you’ll see a new sidebar. Connect to any busy open wifi network and click the big “Start Capturing” button. Then wait.
As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed:
Double-click on someone, and you’re instantly logged in as them.
That’s it.
Firesheep is free, open source, and is available now for Mac OS X and Windows. Linux support is on the way.
Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.
Extensão do Firefox permite aceder a contas de serviços Web (Firesheep)
Não sei se será o local indicado para esta noticia mas aqui vai:
Estamos a falar de uma extensão do Firefox que permite aceder a contas de serviços Web e muito mais….
Já todos sabemos que a segurança na Internet é, por vezes, algo em que apenas “queremos” acreditar – mas que na realidade deixa muito a desejar.
Tal como uma rede WiFi WEP actualmente oferece apenas uma falsa sensação de segurança, já que qualquer pessoa em poucos minutos a poderá “crackar”, também muitos sites bem conhecidos deixam bastante a desejar nesta área.
É que… embora a maioria dos sites ofereça uma página de login “segura”, logo de seguida guardam o vosso estado num cookie não encriptado, que facilmente se torna alvo de ataques indesejáveis.
E é isso mesmo que demonstra este Firesheep.
Com este plugin instalado no vosso Firefox, basta ligarem-se a uma rede WiFi pública com alguns utilizadores, e assim que qualquer um deles faça login num destes sites (como o Facebook), poderão – com um simples duplo clique – fazer entrar nesses sites como se fossem o utilizador real.
O add-on foi criado por Eric Butler, um programador norte-americano, e lançada numa conferência de segurança informática, onde explicou que a extensão foi criada com o intuito de alertar os cibernautas para os perigos de utilizar redes sem fios públicas desprotegidas para aceder a determinados sites.Denominada Firesheep, a extensão permite aceder aos dados de login de todos os sites que não utilizem tecnologias de encriptação para proteger os dados dos seus utilizadores.
«Isto deixa os cookies, e o utilizador, vulnerável», argumenta o programador no seu blogue pessoal, adiantando que «numa rede sem fios aberta, os cookies estão basicamente em todo o lado, o que torna estes ataques extremamente fáceis» de executar.
O programador explica que quando o add-on é instalado surge uma barra, que permite ver quando alguém que está a aceder à Internet numa rede sem fios pública acede a um site inseguro.
«Ao clicar no utilizador estamos a fazer login como se fossemos ele», sublinha.
De acordo com Eric Butler a aplicação já foi utilizada para aceder a dados de login de sites como o Facebook, Twitter, Flickr, Google e Amazon.
Citado pelo portal Computerworld um especialista em segurança informática da Sophos, Richard Wang, considera que «nada disto é novo e não é certamente uma falha».
Mesmo assim alerta que com «a Firesheep é tão fácil identificar [tráfego e cookies desprotegidos] que praticamente qualquer pessoa pode utilizá-la para ver o que as outras pessoas estão a fazer num hotspot público».
Poucas horas depois de Eric Butler ter disponibilizado a extensão on-line, já tinha sido descarregada cerca de 50 mil vezes.
Pensem no mal ou bem que uma ferramenta com esta usada no local “certo” pode causar!!!!
E se eu quiser ter acesso a toda a minha informação no Facebook?
http://developers.facebook.com/docs/reference/api/user
User
A user profile. You can get the entire profile or select the specific fields and connections using the fields query string parameter. The User object supports Real-Time Updates for all properties except the ones marked with ‘*’.
Exemplo
https://graph.facebook.com/me (current user)
Propriedades
id
The user’s ID
first_name
The user’s first name
last_name
The user’s last name
name
The user’s full name
link
A link to the user’s profile
about
The user’s blurb that appears under their profile picture
birthday
The user’s birthday
work
A list of the work history from the user’s profile
education
A list of the education history from the user’s profile
email
The proxied or contact email address granted by the user
website
A link to the user’s personal website.
hometown
The user’s hometown
location
The user’s current location
bio
The user’s bio
quotes
The user’s favorite quotes
gender
The user’s gender
interested_in
Genders the user is interested in
meeting_for
Types of relationships the user is seeking
relationship_status
The user’s relationship status
religion
The user’s religion
political
The user’s political view
verified
* The user’s account verification status
significant_other
The user’s significant other
timezone
The user’s timezone
Ligações
The user’s News Feed. Requires the read_stream permission
The user’s wall. Requires the read_stream permission to see non-public posts.
The photos, videos, and posts in which this user has been tagged. Requires theread_stream permission
The user’s own posts. Requires the read_stream permission to see non-public posts.
The user’s profile picture
The user’s friends
The activities listed on the user’s profile
The interests listed on the user’s profile
The music listed on the user’s profile
The books listed on the user’s profile
The movies listed on the user’s profile
The television listed on the user’s profile
All the pages this user has liked. Requires the user_likes or friend_likespermission
The photos this user is tagged in. Requires the user_photo_video_tags,friend_photo_video_tags and user_photos or friend_photos permissions
The photo albums this user has created. Requires the user_photos orfriend_photos permission
The videos this user has been tagged in. Requires the user_videos orfriend_videos permission.
The groups this user is a member of. Requires the user_groups or friend_groupspermission
The user’s status updates. Requires the read_stream permission
The user’s posted links. Requires the read_stream permission
The user’s notes. Requires the read_stream permission
The events this user is attending. Requires the user_events or friend_eventspermission
The threads in this user’s inbox. Requires the read_mailbox permission
The messages in this user’s outbox. Requires the read_mailbox permission
The updates in this user’s inbox. Requires the read_mailbox permission
The Facebook pages owned by the current user. If the manage_pages permission has been granted, this connection also yields access_tokens that can be used to query the Graph API on behalf of the page.
The places that the current user has checked-into.
The user’s outstanding requests for the app associated with the access token. See more info here.
Um exemplo de um link, deu nisto:
{
"id": "1042526339",
"name": "Romeu Costa",
"first_name": "Romeu",
"last_name": "Costa",
"link": "http://www.facebook.com/profile.php?id=1042526339",
"about": "qualquer coisa sobre ti.",
"birthday": "10/09/1980",
"education": [
{
"school": {
"id": "106400136062934",
"name": "Instituto Polit\u00e9cnico do Porto"
},
"year": {
"id": "115133045164350",
"name": "2007"
},
"concentration": [
{
"id": "115366591809369",
"name": "Tecnologias de Informa\u00e7\u00e3o"
}
],
"type": "College"
}
],
"gender": "masculino",
"relationship_status": "Solteiro(a)",
"website": "http://www.romeucosta.com",
"timezone": 1,
"locale": "pt_PT",
"verified": true,
"updated_time": "2010-01-08T00:11:55+0000"
}
Hom Digitalis 