New Firefox add-on hijacks Facebook, Twitter sessions
Lets 'pretty much anyone' steal 'shouted' session cookies; illustrates poor security at major sites
Computerworld - A new Firefox add-on lets "pretty much anyone" scan a Wi-Fi network and hijack others' access to Facebook, Twitter and a host of other services, a security researcher warned today.
The add-on, dubbed "Firesheep," was released Sunday by Eric Butler, a Seattle-based freelance Web application developer, at the ToorCon security conference, which took place Oct. 22-24 in San Diego.
Butler said he created Firesheep to show the danger of accessing unencrypted Web sites from public Wi-Fi spots.
Although it's common for sites to encrypt user log-ons with HTTPS or SSL, few encrypt the actual traffic. "This leaves the cookie, and the user, vulnerable," said Butler in a post to his personal blog. "On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy."
Butler did not reply to an interview request Monday.
"None of this is new, the flaw certainly isn't," said Richard Wang, the U.S. manager of SophosLabs, the research arm of Abingdon, England-based security company Sophos. "But Firesheep makes it so easy to discover [unencrypted traffic and cookies] that pretty much anyone can use it to listen to what others are doing at public hot spots."
Firesheep adds a sidebar to Mozilla's Firefox browser that shows when anyone on an open network -- such as a coffee shop's Wi-Fi network -- visits an insecure site. "Double-click on someone [in the sidebar] and you're instantly logged on as them," said Butler in his short description of his add-on.
The add-on appears to be irresistible: Since Butler posted Firesheep on Sunday it's been downloaded nearly 50,000 times.
Butler created Firesheep to illustrate the wide-ranging problem of unencrypted sites and public networks. "Web sites have a responsibility to protect the people who depend on their services," he said. "They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure Web. My hope is that Firesheep will help the users win."
Wang said he was hopeful that the add-on would prompt more sites to encrypt their sessions. "The hope here is of increased use of HTTPS," he said. But he also urged more public networks to secure users, although he acknowledged the logistics -- handing out the passwords that users would need in order to connect -- would be daunting. "It's the old 'security-vs.-convenience' argument," he noted.
Users can protect themselves, said Wang, by refusing to access insecure sites while at open networks.
He added that people who are more technically inclined could rely on a secure proxy server, perhaps one run on their work machine, which their laptops would in turn access. "But that's not a solution for the average user," Wang admitted.
Firesheep, which works with the Windows and Mac OS X versions of Firefox, can be downloaded free of charge at the GitHub site.
Butler is working on Firesheep for the Linux edition of Firefox.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!