Even if you were drunk and surfing at a Wi-Fi hotspot, you probably wouldn’t stand up and shout your username and password for anyone who might want it. But an attacker does not need to find out your username and password. If you thought that capturing a user’s social media session was only done by skilled hackers, now the Firesheep addon can allow even the truly clueless to become an Internet griefer.
If you were at a Wi-Fi hotspot, you probably would have no options and no encryption at all. Although many websites give lip service about how important their users’ privacy and security is to them, very few have their entire site encrypted with HTTPS. Most sites encrypt the username and password during the login process, but most of those sites stop encrypting and protecting the user right there. As soon as a user moves on to a regular HTTP page on the site, an attacker can sniff and capture the user’s cookie information.
Many of us are busy multitasking, so we log into Twitter or Facebook, or even Flickr, and then move on to surf other sites without first logging out of those accounts. If any of those future sites have a Twitter or Facebook widget, or even a Flickr image embedded, if you didn’t log out of those sites before continuing to surf, then HTTP session jacking, also called “sidejacking,” can happen and leak the user’s cookie. Security researchers explained that if a person can steal the cookie, then they can steal your session and allow them to do anything the user could do on the site.
At the Toorcon 12 security conference, Ian Gallagher and Eric Butler presented Hey Web 2.0: Start protecting user privacy instead of pretending to.Eric Butler released a free open-source tool and Firefox browser addon calledFiresheep. Now any person, or idiot, can use Firesheep to scan local Wi-Fi networks and find users who are logged into Facebook, Twitter, Amazon, Google, FourSquare, Dropbox, Hacker News, Windows Live, Cisco, Evernote, WordPress, Flickr, bit.ly and many other services. There is a list of sites that Firesheep will sniff and hijack.
Butler blogged “On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy….When it comes to user privacy, SSL is the elephant in the room.”
After installing the Firesheep addon, a new sidebar will appear. Butler writes, “Connect to any busy open Wi-Fi network and click the big ‘Start Capturing’ button. Then wait. As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed:”
Yep, just that easy. Firesheep works on any unencrypted wireless LAN connection with services that don’t use secure HTTP.
At the time of publishing this article, Firesheep has been downloaded 52,796 times. Twitter is hot with the news of Firesheep. Quite a few sheeple are playing, ignoring wireless wiretap laws and being baaaaad, including those who have no clue how to hack social network sites.
What can you do to protect yourself? Only use encrypted Wi-Fi, use VPN if you have it, or force SSL if you can. The Tor Project and EFF have a Firefox extension called HTTPS Everywhere that rewrites all requests to HTTPS. The kicker is that very few sites are setup to work with the plugin. There is also a Firefox extension called Force-TLS.
“Companies have a responsibility to protect you, demand SSL Everywhere!”