Computers

Firesheep session hijacking tool makes public Wi-Fi useless

View 3 Images
The Firesheep add-on for Firefox
The Firesheep add-on for Firefox
The Firesheep add-on for Firefox
The Firesheep add-on for Firefox
View gallery - 3 images

At the Toorcon 12 hacker conference in San Diego on Sunday, Seattle programmer Eric Butler introduced his Firesheep add-on for the Firefox Web browser in an effort to bring attention to the weakness of open Wi-Fi networks. In a practice known as HTTP session hijacking (or "sidejacking") the add-on intercepts browser cookies used by many sites, including Facebook and Twitter, to identify users and allows anyone running the program to log in as the legitimate user and do anything that user can do on a particular website.

In a post on his site Butler describes how Firesheep works. Once installed, Firesheep displays a sidebar with a "Start Capturing" button. All the user needs to do is connect to an open Wi-Fi network, click the button and as soon as anyone on the network visits an insecure site known to Firesheep, the program captures the cookie that contains their log in details and their name and photo will be displayed in the sidebar. Double click on the displayed user and you'll be logged in as them and able to wreak all kinds of havoc.

Butler highlights Facebook and Twitter as two of the more popular sites that are vulnerable to sidejacking using Firesheep but the program can also capture cookies from Foursquare, Gowalla, Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, WordPress, Yahoo and Yelp. Additionally, users can write their own plugins to access other unsecured HTTP sites.

Butler says the only effective way to combat the vulnerability Firesheep takes advantage of is for the sites to use full end-to-end encryption, known as HTTPS or SSL but many sites default to the HTTP protocol because it's quicker. A TechCruch reader claims to have found a workaround using the existing Force-TLS Firefox extension that forces sites to use the HTTPS protocol, thereby making a user's cookies invisible to Firesheep. But with most people unlikely to be security conscious enough to install it's hardly a complete solution.

Butler has released Firesheep as open source and it can be downloaded from his site for both Mac OS X and Windows, with a Linux version on the way.

Via TechCrunch

View gallery - 3 images
  • Facebook
  • Twitter
  • Flipboard
  • LinkedIn
7 comments
Lawrence Lagarde
Since Gizmag doesn\'t use https to secure logins, I suppose it\'s only a matter of time before a Firesheep user writes an open source plug in for it as well...
Andrew Christianson
I wonder, does this work across different browsers (IE, Opera, Chrome, etc)? Or is it just limited to Firefox users?
RpD
Open public wifi isn\'t rendered \'useless\'... it renders users vulnerable if they choose to login to anything (that uses \'cookies\'). If you just surf the web and don\'t \'login\' to anything... there\'s no login data to capture. When you go public... don\'t sign in to anything else, don\'t sign in to websites that require a login; when you go public, just surf the free public web (no logins)... and don\'t enter any personal info. Read the news, sports, etc. at news.google.com or browse anywhere else without a login. That\'s not \'useless\'.

Fabian Rousset
Am I logged in? Or is it someone on Firesheep? Crap this sucks.
christopher
Properly coded web sites use the SECURE modifier for https cookies (thus - those cookies never travel over unencrypted links), so no burning mutton is going to \"do anything that user can do\" for them at least.

It\'s an easy fix for Twitter etc to solve - so good on those heated lambs for rubbing their collective facebooks in their own insecurity :-)
Matt Rings
..oops, just logged into Gizmag using my Facebook account. Dang! Fortunately, I\'m not using \"wireless\". :)

@RpD: who doesn\'t travel with a wi-fi laptop and NOT log into important personal sites...? that would be about as close to \'useless\' as I can imagine.

Time to go HTTPS on everything possible...
Will, the tink
Well, anyone who leaves their own personal Wifi open to the public is just asking for trouble although chances of having trouble are fairly slim. The thing I wonder about this article is, if Eric Butler\'s true intentions are to just bring awareness to the problem, why post the code on how to do it to his website as \"open source\"? Sounds more like a pride thing to me.