Tuesday, February 01, 2011

Close this Facebook Security Hole in Your Account. (It's easy.)

Last week, Ryan Tate at Gawker called attention to a serious flaw in Facebook that potentially exists for anyone who visits the site using a wireless connection. Geek details at the bottom of this post, but let's get to the important part first: prompted by the attention that this hole received, Facebook has come up with a fix. It's quick and easy to do, and you should do it right away, especially if you're in the habit of visiting Facebook while at your favorite coffee shop or other public WiFi hotspot.

Here's how to close the hole. Log in to Facebook. Pull down the Account menu from the toolbar running across the top of the page. Click the Account Settings choice.

On the next page, scroll down to the Account Security section and click the "change" link. You should see a check-box labeled:

Secure Browsing (https)
Browse Facebook on a secure connection (https) whenever possible

Check that box and you're done. To confirm, visit other pages on Facebook -- all of them should now show an https in the address. If not, log out and log back in.

If you don't see that option, look for it again in a day or two, and keep checking until you do see it. Facebook is rolling out this change, as the current term of art would have it, which means it will take some time for all accounts to be offered this option. (It took until yesterday before it was available to me.)

There may be problems with some third-party applications, says Facebook, according to Ryan Naraine of Kaspersky Lab. I'd expect these to be cleared up as developers update their apps; in the meantime, you can always uncheck the box you just checked, if you simply must use that app right now. I'd suggest you remember to check it again once you're done, obviously.

Here's a screen shot. Click it to big it.

Here's a two-minute video, created by the computer security firm Sophos, that will walk you through the steps, in case my description above wasn't clear enough.

(alt. video link)

And now, as threatened promised above, a few geek details. No need to read them if all you care about is taking care of the problem, although you should be aware that this problem is not at all unique to Facebook.

Many places that offer WiFi hot spots use unencrypted connections to make it easier for people to get online, without having to mess around with access passwords and so on. When you're surfing the Web over an unencrypted connection, it is possible for someone else to eavesdrop on the traffic between your computer and the servers running the site you're visiting.

Facebook, along with a whole buttload of other major sites, typically offers a secure (https) connection on its login page, but after that, traffic back and forth is sent in the clear, without the encryption of an https connection. One of the things that is sent, that is of interest to snoops, is a cookie (a small bit of text) that is frequently exchanged between your machine and the site you're visiting. You pretty much have to allow this cookie to go back and forth -- it's how the site maintains an awareness of who you are, which in turn allows you to see your own messages, the private items your friends have posted, and so on.

So, a snooper has only to pick up that cookie as it's being transmitted, load it onto his or her machine, and from then on, he or she can be you on that site. Put another way, Facebook thinks the cookie coming from another machine just means that you have started using a different computer, and so lets "you" (the impersonator) do whatever it would allow the real you to do -- read your private messages, post stuff you'd be embarrassed by, harass others who are your Facebook friends, and so on.

This security hole has been an open secret for quite some time. It's why Gmail switched to full-time https connections a year ago. (That, and the realization that it's no longer expensive or painful.) A full-time https connection means that even though your wireless connection is unencrypted, anything that's sent to or from your computer is encrypted before it is transmitted. A snooper can still eavesdrop, but the encrypted cookie won't do him or her any good -- it's specific to the two computers passing it back and forth. The snooper may still be able to overhear you, but can no longer understand you, so to speak.

This security problem, called sidejacking, was brought to a head by Eric Butler, a software developer who got fed up by the lack of response from Facebook and others, and so wrote a Firefox add-on called Firesheep that allows anyone to sit in a public WiFi hotspot and do this cookie-swiping and impersonation with a couple clicks of the mouse. If you're interested in computer security, start with this post of his, and look around on his site for other posts discussing Firesheep.

If you're in somewhat of a panic by now, don't be. If you haven't noticed anything weird on your account, you probably weren't a victim of this sort of attack. And even if you're sitting in a public hotspot right now, once you make the simple change described above, you're good. To be extra safe, log out and log back in again after you do make the change -- that will force the creation of a new cookie, which will only be transmitted in encrypted form from now on.

Also, if you haven't been connecting to Facebook from public hotspots, you're unlikely to have been exposed to this risk. The typical home WiFi connection is encrypted out of the box these days. (Remember how you had to type in a password back when you set it up?) Still, there's no reason not to make the changes above -- it will not bog down your Facebook experience, and you'll be safe if you do connect to Facebook over an unencrypted connection in the future.

Final note: I mentioned above that this security hole is not specific to Facebook. Good on them for getting to it, finally. Meanwhile, many other big sites, like Amazon, PayPal, WordPress, and Twitter, just to name a few, still put you at risk of being snooped and impersonated if you're using an unencrypted wireless connection. If you do spend a lot of time using public hotspots, you may want to have a look at the Electronic Frontier Foundation's add-on called HTTPS Everywhere.

To participate in the effort to get the world's top 100 websites to switch to full-time https connections, and to learn more about the issue, start at the "Demand HTTPS" petition page on AccessNow.org.

No comments: