Firefox add-on allows session hijacking of popular sites

Share this article:
A computer researcher has released a plug-in for the Firefox web browser that lets anyone scan open Wi-Fi networks and hijack, for example, Twitter and Facebook accounts.

The add on, called “Firesheep,” was released Sunday at the ToorCon security conference in San Diego by Eric Butler, a Seattle-based web application and software developer.

Butler designed the add-on to highlight the danger of accessing unencrypted websites via public Wi-Fi networks, he wrote in a blog post Sunday.

Websites commonly protect users' passwords by encrypting the initial login, Butler said. However, many popular sites – including Facebook and Twitter – do not use end-to-end HTTPS or SSL encryption to safeguard sessions, leaving them vulnerable to an attack known as "HTTP session hijacking," which allows an attacker to obtain a user's cookie to take over their account. 

“This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users,” Butler wrote.

Facebook, for example, has not implemented end-to-end SSL or HTTPS encryption, according to Butler.

A Facebook spokesman told SCMagazineUS.com in an email Tuesday that users should be cautious when sending or receiving information over unsecured Wi-Fi networks. 

“We have been making progress testing SSL access across Facebook and hope to provide it as an option in the coming months,” the spokesman said.

Firesheep adds a sidebar to Firefox that can be used to connect to an open Wi-Fi network, Butler explained. Once connected, the extension displays the name and photo of anyone on the network who visits an unsecured website.

“Double-click on someone, and you're instantly logged in as them,” he wrote.

The add-on has been downloaded more than 177,000 times since it became available Sunday. It also has ranked as a "trending" topic on Twitter and Google.

Butler said he hopes the new add-on will encourage websites to take security more seriously.

“Websites have a responsibility to protect the people who depend on their services,” he wrote. “They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.