Crack Facebook Firesheep

When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a “cookie” which is used by your browser for all subsequent requests.

It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking”) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new “privacy” features in an endless attempt to quell the screams of unhappy users, but what’s the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.

Today at Toorcon 12 I announced the release of Firesheep, a Firefox extension designed to demonstrate just how serious this problem is.

After installing the extension you’ll see a new sidebar. Connect to any busy open wifi network and click the big “Start Capturing” button. Then wait.

As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed:

Double-click on someone, and you’re instantly logged in as them.

That’s it.

Firesheep is free, open source, and is available now for Mac OS X and Windows. Linux support is on the way.

Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.

 

Extensão do Firefox permite aceder a contas de serviços Web (Firesheep)

Não sei se será o local indicado para esta noticia mas aqui vai:
Estamos a falar de uma extensão do Firefox que permite aceder a contas de serviços Web e muito mais….
Já todos sabemos que a segurança na Internet é, por vezes, algo em que apenas “queremos” acreditar – mas que na realidade deixa muito a desejar.
Tal como uma rede WiFi WEP actualmente oferece apenas uma falsa sensação de segurança, já que qualquer pessoa em poucos minutos a poderá “crackar”, também muitos sites bem conhecidos deixam bastante a desejar nesta área.
É que… embora a maioria dos sites ofereça uma página de login “segura”, logo de seguida guardam o vosso estado num cookie não encriptado, que facilmente se torna alvo de ataques indesejáveis.
E é isso mesmo que demonstra este Firesheep.
Com este plugin instalado no vosso Firefox, basta ligarem-se a uma rede WiFi pública com alguns utilizadores, e assim que qualquer um deles faça login num destes sites (como o Facebook), poderão – com um simples duplo clique – fazer entrar nesses sites como se fossem o utilizador real.

O add-on foi criado por Eric Butler, um programador norte-americano, e lançada numa conferência de segurança informática, onde explicou que a extensão foi criada com o intuito de alertar os cibernautas para os perigos de utilizar redes sem fios públicas desprotegidas para aceder a determinados sites.Denominada Firesheep, a extensão permite aceder aos dados de login de todos os sites que não utilizem tecnologias de encriptação para proteger os dados dos seus utilizadores.
«Isto deixa os cookies, e o utilizador, vulnerável», argumenta o programador no seu blogue pessoal, adiantando que «numa rede sem fios aberta, os cookies estão basicamente em todo o lado, o que torna estes ataques extremamente fáceis» de executar.
O programador explica que quando o add-on é instalado surge uma barra, que permite ver quando alguém que está a aceder à Internet numa rede sem fios pública acede a um site inseguro.
«Ao clicar no utilizador estamos a fazer login como se fossemos ele», sublinha.
De acordo com Eric Butler a aplicação já foi utilizada para aceder a dados de login de sites como o Facebook, Twitter, Flickr, Google e Amazon.
Citado pelo portal Computerworld um especialista em segurança informática da Sophos, Richard Wang, considera que «nada disto é novo e não é certamente uma falha».
Mesmo assim alerta que com «a Firesheep é tão fácil identificar [tráfego e cookies desprotegidos] que praticamente qualquer pessoa pode utilizá-la para ver o que as outras pessoas estão a fazer num hotspot público».
Poucas horas depois de Eric Butler ter disponibilizado a extensão on-line, já tinha sido descarregada cerca de 50 mil vezes.
Pensem no mal ou bem que uma ferramenta com esta usada no local “certo” pode causar!!!!

E se eu quiser ter acesso a toda a minha informação no Facebook?

http://developers.facebook.com/docs/reference/api/user

User

A user profile. You can get the entire profile or select the specific fields and connections using the fields query string parameter. The User object supports Real-Time Updates for all properties except the ones marked with ‘*’.

Exemplo

https://graph.facebook.com/me (current user)

Propriedades

id

The user’s ID

first_name

The user’s first name

last_name

The user’s last name

name

The user’s full name

link

A link to the user’s profile

about

The user’s blurb that appears under their profile picture

birthday

The user’s birthday

work

A list of the work history from the user’s profile

education

A list of the education history from the user’s profile

email

The proxied or contact email address granted by the user

website

A link to the user’s personal website.

hometown

The user’s hometown

location

The user’s current location

bio

The user’s bio

quotes

The user’s favorite quotes

gender

The user’s gender

interested_in

Genders the user is interested in

meeting_for

Types of relationships the user is seeking

relationship_status

The user’s relationship status

religion

The user’s religion

political

The user’s political view

verified

* The user’s account verification status

significant_other

The user’s significant other

timezone

The user’s timezone

Ligações

home

The user’s News Feed. Requires the read_stream permission

feed

The user’s wall. Requires the read_stream permission to see non-public posts.

tagged

The photos, videos, and posts in which this user has been tagged. Requires theread_stream permission

posts

The user’s own posts. Requires the read_stream permission to see non-public posts.

picture

The user’s profile picture

friends

The user’s friends

activities

The activities listed on the user’s profile

interests

The interests listed on the user’s profile

music

The music listed on the user’s profile

books

The books listed on the user’s profile

movies

The movies listed on the user’s profile

television

The television listed on the user’s profile

likes

All the pages this user has liked. Requires the user_likes or friend_likespermission

photos

The photos this user is tagged in. Requires the user_photo_video_tags,friend_photo_video_tags and user_photos or friend_photos permissions

albums

The photo albums this user has created. Requires the user_photos orfriend_photos permission

videos

The videos this user has been tagged in. Requires the user_videos orfriend_videos permission.

groups

The groups this user is a member of. Requires the user_groups or friend_groupspermission

statuses

The user’s status updates. Requires the read_stream permission

links

The user’s posted links. Requires the read_stream permission

notes

The user’s notes. Requires the read_stream permission

events

The events this user is attending. Requires the user_events or friend_eventspermission

inbox

The threads in this user’s inbox. Requires the read_mailbox permission

outbox

The messages in this user’s outbox. Requires the read_mailbox permission

updates

The updates in this user’s inbox. Requires the read_mailbox permission

accounts

The Facebook pages owned by the current user. If the manage_pages permission has been granted, this connection also yields access_tokens that can be used to query the Graph API on behalf of the page.

checkins

The places that the current user has checked-into.

platformrequests

The user’s outstanding requests for the app associated with the access token. See more info here.

Um exemplo de um link, deu nisto:

{
   "id": "1042526339",
   "name": "Romeu Costa",
   "first_name": "Romeu",
   "last_name": "Costa",
   "link": "http://www.facebook.com/profile.php?id=1042526339",
   "about": "qualquer coisa sobre ti.",
   "birthday": "10/09/1980",
   "education": [
      {
         "school": {
            "id": "106400136062934",
            "name": "Instituto Polit\u00e9cnico do Porto"
         },
         "year": {
            "id": "115133045164350",
            "name": "2007"
         },
         "concentration": [
            {
               "id": "115366591809369",
               "name": "Tecnologias de Informa\u00e7\u00e3o"
            }
         ],
         "type": "College"
      }
   ],
   "gender": "masculino",
   "relationship_status": "Solteiro(a)",
   "website": "http://www.romeucosta.com",
   "timezone": 1,
   "locale": "pt_PT",
   "verified": true,
   "updated_time": "2010-01-08T00:11:55+0000"
}

Deixe uma Resposta

Preencha os seus detalhes abaixo ou clique num ícone para iniciar sessão:

Logótipo da WordPress.com

Está a comentar usando a sua conta WordPress.com Terminar Sessão /  Alterar )

Google photo

Está a comentar usando a sua conta Google Terminar Sessão /  Alterar )

Imagem do Twitter

Está a comentar usando a sua conta Twitter Terminar Sessão /  Alterar )

Facebook photo

Está a comentar usando a sua conta Facebook Terminar Sessão /  Alterar )

Connecting to %s