Firefox Extension Firesheep Enables Website Hijacking6:19 PM EST Mon. Oct. 25, 2010
The extension, known as Firesheep, was developed by freelance Seattle-based developer Eric Butler, who said he created the program to illustrate the vulnerability and security risks of high-profile Web applications, especially when run over unsecured Wi-Fi networks.
In particular, Butler pointed to the fact that insecure applications can open the door for HTTP session hijacking attacks. Also known as "sidejacking," HTTP session hijacking occurs when an attacker gets a hold of a user's cookie, which allows them to impersonate and have the same online privileges as the user on any given Website.
"On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy," Butler said in a blog post. Butler presented his findings at the Toorcon 12 security conference in San Diego.
Altogether, Firesheep targets 26 of the most widely used, and highest trafficked applications on the Internet, including Amazon, Facebook, Foursquare, Google, Twitter, Wordpress, Twitter, The New York Times and Yahoo.
Next: Firesheep Captures Website Cookies
Essentially, Firesheep is a packet sniffer designed to detect cookies and analyze unencrypted Web traffic on an open Wi-Fi connection between a router and personal computers. Once users log onto a Web site, the site-specific cookie in the browser will then communicate with the site, providing the identity of the user with information such as username and session ID.
However, if users log onto one of the 26 sites, the Firesheep extension can sniff out the cookie associated with the visited site. The extension then enables hackers to capture the authentication cookies from these Web sites sent over an unsecure network, allowing miscreants to log on to one of the 26 applications as the original user.
For example, a hacker who hijacks a Facebook session could access a user's Facebook profile picture and then infiltrate the account, even without a password.
The Firefox extension was released on both Mac OS X and Windows platforms to bolster a talk presented by Butler at the Toorcon 12 security conference. Butler, who demonstrated the extension on his blog post, says he hopes to raise awareness about the need for Websites to use end-to-end encryption, known as HTTPS or SSL, to secure the entirety of a user's Web session.
"This is a widely known problem that has been talked about to death, yet very popular Web sites continue to fail at protecting their users," Butler said in his blog. "It's extremely common for Web sites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable."
Next: Butler Says Social Networking Sites Prime Example
In particular, Butler called out social networking sites Facebook and Twitter, claiming that privacy initiatives and other tweaks did little to protect users if the site was vulnerable to HTTP hijacking attacks.
"Facebook is constantly rolling out new 'privacy' features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely?" he said. "Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room."