Smells like fresh baked Facebook Cookies – Firesheep


When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a “cookie” which is used by your browser for all subsequent requests.

It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking“) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new “privacy” features in an endless attempt to quell the screams of unhappy users, but what’s the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.

Today at Toorcon 12 I announced the release of Firesheep, a Firefox extension designed to demonstrate just how serious this problem is.

After installing the extension you’ll see a new sidebar. Connect to any busy open wifi network and click the big “Start Capturing” button. Then wait.

As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed:

Double-click on someone, and you’re instantly logged in as them.

All of your Facebook are belong to us.

All of your Facebook are belong to us.

 

That’s it.

Firesheep is free, open source, and is available now for Mac OS X and Windows. Linux support is on the way.

Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.

Some are advocating using the Firefox extension Force-TLS add-on to prevent being hijacked on unsecured connections. But read the reviews first. Some people have noted some issues. Another is HTTPS Everywhere which is currently in beta. I didn’t provide a link because I believe you should wait until it hits the street in full running gear, before trying it.

The simplest way is to avoid social networking when on an unsecured connection.

The practice is known as session hijacking; if you’d like more information on how the code works, check out this post on Firesheep’s technical details.

A virtual private network (VPN) is the easiest way (other than avoiding unsecure Wi-Fi altogether) to prevent yourself from a Firesheep-powered attack.

VPNs create a private tunnel through the public network, protecting the user from any prying eyes (or packet sniffers) on his way from destination to destination online.

VPNs were used a lot during the Irani election and protests; they’re also used a lot in China and in other areas where access to the Internet is restricted.

Another group that uses VPNs frequently is corporations. Employees often need a safe way to access very private and sensitive information from a public network; VPNs provide security and access. (For more information on corporate use of VPNs, check out this HowStuffWorks article.)

The downside of using a VPN is that you may notice a drop in your connection speed. You might also have to pay for your secure Internet access.

The upside, with specific regard to Firesheep, is that you can sit elbow-to-elbow with a black hat hacker in a coffee shop and know that your data is safely encrypted.

Advertisements
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s