Firesheep and Steam

I put together a quick Firesheep handler for a session cookie flaw that was disclosed here. It’s nothing crazy, or groundbreaking, but I figured I’d post it here and get credit where credit is due. It would blow if someone else found this from me posting it places and took credit.
I have a link to this on a pastie.org private paste, you can also view that instead if you like.

register({
name: 'steam.com',
url: 'http://www.steampowered.com',
domains: [ 'steampowered.com' ],
sessionCookieNames: [ 'steamLogin'],
});

Open up Notepad or whatever text editor you use, copypasta this and save as steam.js to the directory below in Windows

%appdata%\Mozilla\Firefox\Profiles\sgmeared.default\extensions\firesheep@codebutler.com\

I’m too lazy to look up the extension paths in other OSes, so you’re just going to have to do a little work.

I’m going to be looking into how the Steam client handles cookie data this week, I’m pretty sure I can steal a session cookie and use it in the client itself to download whatever. I’ll have to see how it works first 🙂

Posted in projects Tagged with: , , ,
2 comments on “Firesheep and Steam
    • g3k says:

      I was able to very easily steal a cookie from the Steam client, but I’ve been looking off and on for a while for a way to bypass SteamGuard using cookies. It’s a work in progress, but it’s been slow going.

Leave a Reply

Your email address will not be published. Required fields are marked *

*