Remember Firesheep – the Firefox extension that makes it easy to steal user logins and take over social media sites and email accounts when users log in through unsecured WiFi hotspot? Although the intention of the developers were philanthropic, the temptation for people to use it for nefarious purposes is too great. Take into the account the huge number of downloads of the addon, and we have got a real threat.
The researchers at Zscaler have created a free Firefox plugin called BlackSheep to help police the situation. BlackSheep warns users if someone is using Firesheep on their network and also indicates the IP address of the machine that is spying on you.
BlackSheep detects Firesheep by making HTTP requests to the affected sites using fake cookie values, then listens to all HTTP requests on the network to detect if somebody else is using the same fake values.
FireSheep listens to the HTTP traffic on port 80. When it identifies a transaction to a known site (Facebook, Google, Yahoo!, etc.), it looks for specific cookie values which are then used to identify a specific user. This phase of the attack cannot be detected as it is done passively.
When FireSheep identifies a user session, it then makes a request to the same site using the user’s cookie values in order to retrieve user information such as their name, picture, etc. This active network activity is however visible to others on the local network.
BlackSheep detects the active connection made by Firesheep. It does this by making HTTP requests to random sites handled by FireSheep every 5 minutes (configurable) with fake values. BlackSheep then listens to all HTTP requests on the network to detect if somebody else is using the same fake values.
Since BlackSheep is based on the FireSheep source code, you have to uninstall Firesheep before you install BlackSheep, otherwise BlackSheep will detect that you are using FireSheep.