Firefox add-on allows session hijacking of popular sites

Share this article:
A computer researcher has released a plug-in for the Firefox web browser that lets anyone scan open Wi-Fi networks and hijack, for example, Twitter and Facebook accounts.

The add on, called “Firesheep,” was released Sunday at the ToorCon security conference in San Diego by Eric Butler, a Seattle-based web application and software developer.

Butler designed the add-on to highlight the danger of accessing unencrypted websites via public Wi-Fi networks, he wrote in a blog post Sunday.

Websites commonly protect users' passwords by encrypting the initial login, Butler said. However, many popular sites – including Facebook and Twitter – do not use end-to-end HTTPS or SSL encryption to safeguard sessions, leaving them vulnerable to an attack known as "HTTP session hijacking," which allows an attacker to obtain a user's cookie to take over their account. 

“This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users,” Butler wrote.

Facebook, for example, has not implemented end-to-end SSL or HTTPS encryption, according to Butler.

A Facebook spokesman told SCMagazineUS.com in an email Tuesday that users should be cautious when sending or receiving information over unsecured Wi-Fi networks. 

“We have been making progress testing SSL access across Facebook and hope to provide it as an option in the coming months,” the spokesman said.

Firesheep adds a sidebar to Firefox that can be used to connect to an open Wi-Fi network, Butler explained. Once connected, the extension displays the name and photo of anyone on the network who visits an unsecured website.

“Double-click on someone, and you're instantly logged in as them,” he wrote.

The add-on has been downloaded more than 177,000 times since it became available Sunday. It also has ranked as a "trending" topic on Twitter and Google.

Butler said he hopes the new add-on will encourage websites to take security more seriously.

“Websites have a responsibility to protect the people who depend on their services,” he wrote. “They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.