Disconnect.me : Chrome, Firefox, Safari Extention
Protect yourself against WidgetJacking.
The text below is from the transcript of Episode 386 of Security Now, where Steve Gibson talks about "WidgetJacking".
The problem with that is that, because of the session granularity that browsers have, that is, when a browser makes a request, it's just - it's a request coming into the server in the sky, like any other request anywhere. And but we want to create a persistent relationship with the server and ourselves as we move around the website, as we do things, whatever it is, after logging on and authenticating ourselves. So that's done by having every single request send back the cookie that we were given when we were granted access and prove that we were who we say we are. So that token is our unique identity.
The problem is, and what Firesheep really exposed and turned the pressure up on these companies and essentially forced them to go HTTPS everywhere, or all the time, was that all of those roamings around Facebook were sending that cookie that was the person, it was their identity for the moment, for the session. It was sending it through the air, over the WiFi connection, in the clear. So Firesheep grabbed that, parsed all of the - it operated in so-called "promiscuous mode" with its WiFi radio, which is where, rather than the WiFi radio only receiving traffic meant for it, it would receive all traffic.
So it was seeing everything everyone was transmitting from their laptops to the access point. And it was looking at it, parsing it, finding out whether it was Facebook or LinkedIn or any of the growing number of sites, social networking sites and others, that it understood; and, if so, it would grab the cookie in the request header. And then it would go to the page, get the person's picture, and then stick it in a thumbnail in a little toolbar down the side. So you just turn this thing on at Starbucks, and it starts going bup bup bup bup bup bup bup, and people's faces are appearing, and you're looking around you, saying, oh, there he is over there. And then double-clicking on it allows you to impersonate him.
So this was a huge problem. And as you reminded us, I celebrated it because this was going on all the time anyway, and there was no way that it was going to be foreclosed on unless it was, like, really made to be a problem, so that the companies would go through the burdensome process of changing all their systems over so that they can be HTTPS, that is to say, SSL connections all the time. So we're more or less there.
Now, a security researcher named Brian Kennish gave a talk, a presentation at DEFCON about a year and a half ago, DEFCON 2011, on the prevalence and consequences of social widgets. He was noticing that widgets were just exploding all over the Internet. I mean, like Facebook's Like button, for example, which is, you go to sites now, and they're just lined up in a row. I sometimes am a little bit bemused that we're all supposed to recognize all of these little icons because it doesn't say Twitter and Facebook and Google. It's just they're little mini icon buttons. And look at the level of identity that has been established among these things. It's sort of breathtaking.
So back then, so this is a year and a half ago, widgets from Facebook.com, that domain, were then, and it's certainly more so now, found on 33 percent, so one third of the top 1,000 sites. Google.com had its presence, its widgets on 25 percent of the top 1,000, and Twitter on 20. And certainly those numbers are bigger today. And there's a neat site, BuiltWith, that I think we've talked about before. These guys monitor the technologies behind the web pages that we see, what are the technologies that websites are built with. And you can query their data, which is massive, in all kinds of ways.
Brian did this, to discover that Facebook Like buttons - and again, a year and a half ago - are up 63 percent in popularity year over year across the top 10,000 sites. Google +1 buttons were up, a year and a half ago, year over year 33 percent. So that's growth. And Twitter Tweet buttons, 35 percent growth. Now, here's the problem. Facebook deliberately used Facebook.com to host their widgets. Why? Because their members' browsers carry Facebook session cookies which identify them. And even if the cookie is no longer fresh, so that if you went to Facebook it would say you must log in, the cookie may have expired, but it's present. So it knows who you were, even if it's not sure who you are.
Well, as we know, browser cookies are stored by domain and sent by domain. Which is to say that, if your browser asks Facebook.com for anything - a page, a picture, the image of the button, the social networking button, your browser identifies itself. It sees, oh, I've got cookies that were issued to me once by Facebook.com. I'm going to give them back. That's what browsers do. That's the essence of our ability to maintain a stateful relationship with a browser is that every single request sends back the cookies that the browser has.
So what that means is that the social networking sites are sort of the next generation of privacy concern. It used to be, and we've discussed this often, that the advertisers, the so-called "advertising networks" like DoubleClick, they were a concern because their prevalence across the Internet meant that your browser established an unwitting relationship with them because they would give you a cookie. If you didn't give one to them, they would give one to you, and then henceforth you would give it back to them every time you pulled an ad on any website you went to on the Internet. And so thus that gave way to this whole tracking industry that has upset people to varying degrees.
Well, this has now changed sort of - okay. That's all still in place. This is why Google bought DoubleClick is because it generates revenue, apparently from this information aggregation. Facebook, and other social networking sites, is even in a stronger position because the argument used to be that, well, DoubleClick doesn't know who you are. They just know you're browser 39264783, and you've gone to these various places. We can argue that Facebook, on the other hand, knows a lot about you. I mean, it knows all kinds of things about you. In fact, it's becoming controversial how much of themselves people are putting into Facebook. So Facebook has all of this volunteered information and networked information. And then the 'Net has become littered with their Like buttons. So every time any Facebook user goes to any website that has a Like button, Facebook knows. So I'm not judging it, I'm just saying this is what's happening.
But that's the privacy side. There's a security side. And it's bad. The reason is these things are still not HTTPS. The widgets, the social networking widgets, Like buttons and +1 buttons and Tweet buttons and so forth, even though when you're using Facebook with HTTPS everywhere, all the time, turn it on, that's your use, your first-person use of Facebook, which Facebook is now enforcing as being over SSL. But other websites that host the Facebook Like button have no such constraint. Even on their secure pages, they may be HTTPS all the time, always secure. But their assets, the page assets, the images for these buttons are more often than not simply HTTP because that works better. They're guaranteed of it working. They don't have to wonder if it will or will not work. HTTP, the lower common denominator, always works.
So if you are back at Starbucks, and you are a Facebook user, and you are now not using Facebook because now you're protected by Facebook, if you've got SSL on and always secure, Facebook is protecting you. But if you then go anywhere else and encounter a Like button, your session cookie is in the clear once again.
You can read the rest of the Transcript here.
Or Download the full audio verson here
Or Listen to it right here.