Rule 34 of the Tubes states “There is porn of it, no exceptions.” It is followed by Rule 35: “If no porn is found at the moment, it will be made.” This past Friday and subsequent Monday had me find a sort of PG-rated instance of Rule 35.
Have you heard of Firesheep? You should have. The twitters were ablaze with it. Sites like Facebook and Twitter, along with some other sites, were sending session cookies in plaintext and had been for year. Now this isn’t quite as bad as sending passwords in plaintext, but it’s still a pretty straightforward exploit to gain access to someone’s account on, say, an unsecured wireless network. Finally a freelance developer wrote an extension for Firefox that you can use at your local wireless hotspot, to see who’s logged into their social networking sites, and then to log in as them. It’s a great exploit that should hopefully put some pressure on Facebook, et. al., to actually provide some security to users.
The really cool part, for me, is that only the previous Friday my coworker Brian and I were discussing the exact same vulnerability. It went something like Brian mentioning that lots of sites send session cookies in plaintext; to me not believing that they wouldn’t, you know, encrypt something like that; to him explaining how easy it would be to hack together a program to sniff out such cookies on a wireless network; to me putting it on my longer term todo list of awesome projects. The internets did not even give me a chance. So, that’s pretty cool. Ask and ye shall receive, more or less.