Your Facebook Privacy Settings Are Useless, I’ll Get You Anyway

By 2 Comments

Last weekend, I walked into my local coffee shop, purchased my usual eggs benedict (being British, this is still a novelty breakfast to me) sat down, opened my laptop and very casually hacked into three Facebook accounts, one Twitter account and one New York Times account. I didn’t write a line of code. I didn’t even need their usernames or passwords.

I got the idea from a recent TechCrunch article about Firesheep, a new Firefox extension designed specifically to show users how they can hack into anyones Facebook account without the need for knowing their username or password.

Thanks to this plugin, with one click, I could be in your account. I could change anything about you. I could be you. Or ruin you.

For the record, last weekend, all I did was see if Firesheep worked. I didn’t muck around in anyone’s personal information or read any heated emails about Saturday nights gone awry. But not everyone is as nice as me.

Privacy isn’t a right.

The Firesheep plugin, created by Eric Butler, is a very direct response to Facebook and many other popular online apps and services accused of keeping their users’ information vulnerable. That is, there continues to be no bulletproof way of stopping other people from seeing your status updates about how terrible life is, or those photos of you having far too much to drink, or perhaps finding out you exist at all.

When these online apps started coming under attack from users and the media about their poor privacy practices, these online apps and services started adding settings that let you control what you want others to see about you. This became de-facto, and for the most part we became relatively satisfied with this maraud of settings.

Well, guess what: none of that matters. Turns out, if someone can access your account without a username or password, without being on your computer, without evening knowing you exist in the first place, they can just override all of these settings you so carefully took time to consider.

Privacy, as it turns out, is no longer a right. If you’re online, you can expect that your privacy was compromised the moment you logged on.

OK, it’s not that scary

I really did walk into a coffee shop and gain access to peoples’ Facebook accounts. I really didn’t use any code or geeky tomfoolery to get that access.

This is how I did it.

When you’re on an open WiFi connection, it means you didn’t use a password to get on to the wireless network and that means anyone can read the data you’re entering or receiving over the network. You’re effectively sending a snail mail letter without an envelope. For purpose of clarity, an open WiFi connection is when no password was used to access it, and you didn’t go through a “welcome” page when you first logged onto the network. You simply double clicked on the network and got straight on it, having never previously entered a password.

Now then, couple this with something called “cookies“. You’re likely aware of what these are, but just as a refresher, cookies are able to store information that is later used by websites for various reasons, including tracking your actions, navigation paths, shopping cart contents, and in some naughty cases, your login information. For our purposes, we’re talking about cookies that store “session” information. Sessions are what control your access to websites. For instance, when you login to Facebook you create a session. Cookies then store this session information so you can keep using the session the next time you go to Facebook. It’s why you don’t need to login manually again to Facebook throughout your day.

The next thing we need to talk about is “sniffing“. So let’s go back to that open WiFi connection at your local cafe. Despite its convenience, you are vulnerable to people “sniffing” the information you send over it. Sniffing simply means taking small amounts of the data being passed over the network and making sense of it. If we sniff enough, we’ll gather enough information to create a replica cookie that can be used to login to something like Facebook. If I replicate the cookie, I can login as you without the need to know any login information. I hijack your cookie.

This all sounds like a lot of work, right? Well, what Butler has done with his Firesheep plugin is provide a one-click solution for replicating and hijacking cookies. Joe Average is now able to hack into personal information.

Wait, this is scary!

You’re right, I’m taking you on a roller-coaster here.

Cookie jacking, the method I was using to gain access to victims’ accounts, is something that has been around for a long, long time. Certainly before Facebook and way before Butler came along and made it extremely easy to do. So this is nothing new, open wireless networks have always been vulnerable.

There are two things that can get in the way of cookie jacking, they certainly won’t give you a 100 percent guarantee, but they will stop one-click solutions like Firesheep and its brood that is undoubtedly on the way.

  1. Stop connecting to open wireless networks. Sure, it’s awesome when you can just hop onto someones wireless network. It’s something else when they hack you as a result. I repeat, don’t connect to open wireless networks! This is without a doubt the best way of blocking out Firesheep type hacks.
  2. Only connect to websites with SSL, which is the https:// part of the website address, so things like online banking will be relatively secure, at least from cookie jacking, over an open network. Alternatively, if you’re using Firefox, you can force most websites to do this by using HTTPS Everywhere, if you’re using another browser, then see advice doled out in bullet point #1.
  3. Wear a tin foil hat.

Finally, I want to be very clear about one thing. This is not, in any way, the fault of Facebook, Twitter or any other social network, web app or website. This is also not the fault of Eric Butler, his extension, nor Firefox themselves. This is not the responsibility of the person running the network.

It is your responsibility. You took the choice of logging on to a completely open WiFi network. You run these risks, whether you knew about them or not. You are ultimately responsible for making sure the computer you use is not able to leak information that might be used against you. Get educated. Get protected.

Talk to us! Now that we’ve given you the riot act about your responsibility as it pertains to using open wireless networks,  are you actually worried about this stuff? If not, why? Do you feel that blame should be shifted elsewhere?

  • jad

    ok i have been using an open wireless isnt there anyways to know if the owner of the connection opening my facebook account? please help me

    • http://www.zendesk.com Jake Holman

      Yes and no, which continues the fashion of confusing security features in Facebook.

      Facebook has a feature which allows you to control login sessions that are active on your account, as well as being notified about logins from different locations or computers.

      To get to this feature go here when logged into your account: https://register.facebook.com/editaccount.php – now go down to "Account Security" and click "Change". From here, you can control login sessions. Be careful not to delete your own!

      This becomes pretty complex in an open network in particular. They'll be using the same IP address as you and potentially the same browser, so identifying bogus logins is a challenge.

      As advised, try not to connect to open wireless connections if possible.