Firefox add-on allows session hijacking of popular sites
The add on, called “Firesheep,” was released Sunday at the ToorCon security conference in San Diego by Eric Butler, a Seattle-based web application and software developer.
Butler designed the add-on to highlight the danger of accessing unencrypted websites via public Wi-Fi networks, he wrote in a blog post Sunday.
Websites commonly protect users' passwords by encrypting the initial login, Butler said. However, many popular sites – including Facebook and Twitter – do not use end-to-end HTTPS or SSL encryption to safeguard sessions, leaving them vulnerable to an attack known as "HTTP session hijacking," which allows an attacker to obtain a user's cookie to take over their account.
“This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users,” Butler wrote.
Facebook, for example, has not implemented end-to-end SSL or HTTPS encryption, according to Butler.
A Facebook spokesman told SCMagazineUS.com in an email Tuesday that users should be cautious when sending or receiving information over unsecured Wi-Fi networks.
“We have been making progress testing SSL access across Facebook and hope to provide it as an option in the coming months,” the spokesman said.
Firesheep adds a sidebar to Firefox that can be used to connect to an open Wi-Fi network, Butler explained. Once connected, the extension displays the name and photo of anyone on the network who visits an unsecured website.
“Double-click on someone, and you're instantly logged in as them,” he wrote.
The add-on has been downloaded more than 177,000 times since it became available Sunday. It also has ranked as a "trending" topic on Twitter and Google.
Butler said he hopes the new add-on will encourage websites to take security more seriously.
“Websites have a responsibility to protect the people who depend on their services,” he wrote. “They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win."