No, this is not an article on the new version or even newly added super hero features for firesheep? #titlefail? Maybe but please read on then decide.
I know firesheep has lost its shiny coin syndrome with most but the attack is still working quite well in the field. While the readers/listeners have been doing a good job of enabling secure browsing options in Twitter and Facebook, we still have a long way to go. Please keep spreading the word and keep pleading to social networking sites to enable secure browsing by default. So, Why the “Firesheep’s Revenge” title? Well these last month’s, a couple of us have been testing common social media monitoring (SMM) tools. These tools are generally used by small businesses, internal marketing, or external marketing companies to help update social media accounts without the hassle of logging into every social networking site individually. We have been testing these SSM’s and found that:
http://hootsuite.com/dashboard#
http://sproutsocial.com/dashboard
http://standard.cotweet.com/channels#
Are not using secure browsing by default, allowing us to hijack sessions. What does this mean? Well by adding your social media accounts into these SMM tools, you are granting the tool permission or full control over that account(s). By gaining control over the tool we are bypassing all the hard work you did by enabling secure browsing in each of your twitter and facebook accounts. Try explaining to the VP of Marketing that even though you checked the “defeat firesheep” box it still works. And not only will it work on Facebook/Twitter but now LinkedIn, Foursquare, ping.fm and Ning accounts all in one interface. Most of the time we were looking at full access to the corporations social media strategy. So, we are right back to where we started, teaching the user that security is usually the last thing on the mind of these rapid development firms. If you do not see the option of “secure browsing”, then please be careful of where you update your social media accounts. Ask your tool makers where this option is located. If they do not have this option then maybe you should look for another tool.
James F. Ruffer III
Unixbox
@jruffer