Firefox add-on allows session hijacking of popular sites

Share this article:
A computer researcher has released a plug-in for the Firefox web browser that lets anyone scan open Wi-Fi networks and hijack, for example, Twitter and Facebook accounts.

The add on, called “Firesheep,” was released Sunday at the ToorCon security conference in San Diego by Eric Butler, a Seattle-based web application and software developer.

Butler designed the add-on to highlight the danger of accessing unencrypted websites via public Wi-Fi networks, he wrote in a blog post Sunday.

Websites commonly protect users' passwords by encrypting the initial login, Butler said. However, many popular sites – including Facebook and Twitter – do not use end-to-end HTTPS or SSL encryption to safeguard sessions, leaving them vulnerable to an attack known as "HTTP session hijacking," which allows an attacker to obtain a user's cookie to take over their account. 

“This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users,” Butler wrote.

Facebook, for example, has not implemented end-to-end SSL or HTTPS encryption, according to Butler.

A Facebook spokesman told SCMagazineUS.com in an email Tuesday that users should be cautious when sending or receiving information over unsecured Wi-Fi networks. 

“We have been making progress testing SSL access across Facebook and hope to provide it as an option in the coming months,” the spokesman said.

Firesheep adds a sidebar to Firefox that can be used to connect to an open Wi-Fi network, Butler explained. Once connected, the extension displays the name and photo of anyone on the network who visits an unsecured website.

“Double-click on someone, and you're instantly logged in as them,” he wrote.

The add-on has been downloaded more than 177,000 times since it became available Sunday. It also has ranked as a "trending" topic on Twitter and Google.

Butler said he hopes the new add-on will encourage websites to take security more seriously.

“Websites have a responsibility to protect the people who depend on their services,” he wrote. “They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win."

Share this article:

Sign up to our newsletters

More in News

Firefox 32 feature could cut undetected malware downloads 'in half'

Mozilla plans to introduce a feature in Firefox 32 that, based on preliminary testing, could cut the amount of undetected malware downloads in half.

EFF asks court to find NSA internet spying a violation of Fourth Amendment

EFF asks court to find NSA internet spying ...

Complete with a colorful graphic, the EFF showed a federal court how the NSA essentially runs a digital dragnet that can pick up innocent Americans.

Study: Asian Android users at higher risk of malware exposure

Cheetah Mobile's new study showed that Asian Android users have a two to three times greater risk of downloading malware onto their devices.