A new extension to Firefox called Firesheep reveals a potential security flaw in Facebook’s log-in process.
A Codebutler blog post explains how Firesheep works. Basically, the plug-in lets attackers capture and spoof a cookie so they can log-in to Facebook as another user. The vulnerability was already there but Firesheep makes it as easy as opening the application and then double-clicking on someone’s name to log-in as them.
According to Facebook its log-in process uses SSL technology, whether you go via https://www.facebook.com or plain http://www.facebook.com. However, the entire site is not encrypted. When you enter your user name and password, Facebook checks the information via a cookie. That cookie is not encrypted.
This is not a problem when you are on a secure network. However, when you are on an open WiFi network, it means that anyone else on the same network can spoof the cookie and log-in as you. “On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy,” the Codebutler post says. As far as Facebook is concerned, they are seeing the same cookie coming from the same IP address.
I approached Facebook to see what they had to say about this problem. A spokesman said the company was working on adding SSL access to Facebook as an option, but generally would advise people not to send sensitive information from a public network
“We have been making progress testing SSL access to Facebook and hope to provide it as an option in the coming months. As always, we advise people to use caution when sending or receiving information over unsecured Wi-Fi networks. This tip and others can be found on the Facebook Security Page.
“Be careful about the information you access or send from a public wireless network. To be on the safe side, you may want to assume that other people can access any information you see or send over a public wireless network. Unless you can verify that a hot spot has effective security measures in place, it may be best to avoid sending or receiving sensitive information over that network.”
However, I don’t think this goes far enough. Most users would be surprised that Facebook’s definition of sending “sensitive information” included the simple act of logging in to the site. While Facebook has been taking measures against spammers, this seems to be a pretty gaping security gap that needs to be closed. The option of 100% SSL access to Facebook can’t come fast enough.
Firesheep is free and open source and is available now for Mac OS X and Windows with Linux support on the way.