Firefox extension makes session hijacking easy

You might want to think twice about logging into your Facebook account or Tweeting the next time you’re on a public Wi-Fi hotspot. As TechCrunch reports, a new Firefox extension called Firesheep is causing quite a stir. It allows basically anyone to harvest other users’ log-in information with a simple, easy-to-use interface. In the words of the Firesheep website, "As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed. . . . Double-click on someone, and you’re instantly logged in as them."

The Firesheep information page provides some interesting background information. In short, the developer seems to be taking an ends-justify-the-means approach to helping secure popular websites:

It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.
This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL

The extension is available free of charge for Windows and Mac OS X, and the source code can be downloaded here. You may start panicking in three, two, one…

Comments closed
    • liquidsquid
    • 9 years ago

    If anything this makes it very easy to see if your own system is open (to see what residue is lying about) and to easily show your significant others how scarily easy it is to loose your identity. This is pretty cool, I I can say is thank God my paranoia prevents me from using public access points to begin with…

    It is like not wearing a condom in a whorehouse.

    • albundy
    • 9 years ago

    yay! identity theft. class action anyone?

      • ssway
      • 9 years ago

      Against who? HTTP?

    • kakao
    • 9 years ago

    The reason most sites will only use ssl on login pages is that most browsers do not cache ssl content unless the site set the served content’s HTTP Cache-Control header to public. Setting some of the content (as images) as publicly cached has the nasty side effect of showing a security warning to the user stating that some of the contents of the page are not secure and so the user now thinks the site is less secure than when the site is not served with ssl. What will the site owners do if they risk loosing its customers when they try to make the site safer? They will just don’t make the site safer. If the replies to this article (in a geek site) is an indication of the cluelessness of the users then the situation will not be improved.

    • Bensam123
    • 9 years ago

    lol…

    How much do you want to bet websites still wont do anything about this even though it’s so blatantly obvious? I can see why the author of the plugin is doing this, add a bit of advertisement and maybe it’ll become popular and websites will crackdown on it.

    • voodootronix
    • 9 years ago

    Be interesting to see if TR take a bit of initiative on this and implement a https/SSL based login – if it’s as straightforward/computationally affordable as other commenters have implied I’d like to see it. Geeky websites should use advanced tech, right?

    • Prospero424
    • 9 years ago

    So what’s changed?

    We already knew it was a bad idea to access secure information on insecure services using insecure networks.

    I guess I kind of see this as a good thing. All of this was already fairly trivial to do for those inclined to engage in this sort of snooping. This software serves to put a giant sign up saying “THIS IS HOW EASY IT IS TO STEAL YOUR PASSWORD, IDIOTS”.

    Maybe now individuals who frequently use unsecured WiFi and, more importantly, the businesses who offer unsecured WiFi will finally start paying attention to something they should have been paying attention to for the past 10 friggin’ years. Maybe now they’ll learn about transparent security features like Access Point (layer 2) Isolation and actually implement them. Maybe now end users will begin to appreciate the importance of SSL and secured sites.

    [BruceCampbell]Yeah, and maybe I’m a Chinese jet pilot.[BruceCampbell]

      • MadManOriginal
      • 9 years ago

      ‘We’ doesn’t apply when it’s people who don’t even the slightest clue wtf a ‘secure login’ is and the free WiFi spots are being used by everyone with a cheap CE device.

        • Prospero424
        • 9 years ago

        Well, that was kind of my point: that this has the potential to raise awareness, at least a little bit.

      • Bensam123
      • 9 years ago

      This makes it very, very easy… in other words it isn’t as easy to dodge the bullet by thinking people don’t know how to do attacks like these.

      • kakao
      • 9 years ago

      As in general, according to the article, the login page is encrypted the password can’t be stolen. But obviously if the attacker can impersonate the user the password could be changed.

    • eitje
    • 9 years ago

    I wonder if this works on corporate networks.

      • just brew it!
      • 9 years ago

      In general, wired corporate networks should be safe from this sort of attack. I am assuming that this thing works by putting the network interface into “promiscuous” mode, where it listens to all traffic (not just traffic directed at the system it’s running on). But modern Ethernet networks are switched — only nodes that the traffic actually passes through can see the packets. You would need to be running the exploit on one of the routers, or in a VM on the machine of the user you’re trying to hack.

      I suppose if you’re on a really ancient 10 mbit network or an old 100 mbit network (with hubs instead of switches) you’d be vulnerable. But this seems like it is primarily a WiFi exploit.

    • djgandy
    • 9 years ago

    I don’t know but I’d imagine that CPU utilisation for basic web applications / requests is far less than bandwidth requirements. In relation to the database queries the SSL cost has to be nothing right?

    With newer Intel hardware with built in encryption ops I’d imagine AES becomes even less costly.

    I’d guess that modern cores can encrypt GB/s of data.

    • Firestarter
    • 9 years ago

    I hardly ever use open wireless networks anyway. Many don’t even bother with them anyway, as they just check facebook with their 3G connected smartphones.

    Speaking of which, how’s the firewall situation on smartphones anyway? Any hope of scanning for known vulnerabilities and hijack about a zillion facebook accounts that way?

      • Meadows
      • 9 years ago

      What does one gain with a zillion FB accounts?

        • Firestarter
        • 9 years ago

        Unlimited marketing potential, as well as pics of boobs.

    • Bauxite
    • 9 years ago

    I’ve always thought that some of these social sites like facebook were deliberately and intentionally designed from the start to collect information for other uses, the money from advertising and other “public” sources was just for maintenance and show.

    Having a joke of security model would give you a nice and easy “defense” if ever accused/sued or legislated against for giving out peoples information without their explicit consent. (read: not eula weaseled/false interface/changing terms every month and requiring opt outs etc)

    Go ahead, call me paranoid, but its a fact that 3rd party mine this data and have wide access to it.

    If people want to use it, fine, but drop the pretense of lying to them and pretending any of the data is not visible to those willing to pay or trade for it.

    • axeman
    • 9 years ago

    As I understand it, this practice is commonplace because it puts less load on the server. This is also why many sites don’t do anything higher than 128-bit RC4. The real question is whether this is really an issue anymore, or just a bad habit that’s a holdover from when hardware was more costly.

    • sjl
    • 9 years ago

    From the looks of it, this is an opt-in system. Install the extension, and you can be anybody else who has installed the extension.

    Which puts it on the right side of the very thin ethical line, in my book.

    Of course, there’s the concern that the unethical bunch might modify the extension to install surreptitiously and play silly buggers behind people’s backs, but then, let’s be honest here – if the bad guys can install arbitrary programs on your computer, you’ve lost, regardless of the end-to-end security of the web connection.

      • kcarlile
      • 9 years ago

      From all that I’ve read, it’s not. One person with it can hijack anyone on the same network, whether they’ve got it or not. Wouldn’t be much of a proof of concept if it didn’t work like that, would it?

      • jwb
      • 9 years ago

      I’m not sure how you formed this belief. The extension allows you to impersonate anyone on your LAN who is using these sites. The victim does not need to install anything.

      Note that this has always been possible. This guy is just putting a very easy interface on it.

      • just brew it!
      • 9 years ago

      I believe you are mistaken — it does not appear to be opt-in to me. The problem is that many web sites (this one included!) do not use SSL encryption during login, so user names, passwords, and cookies are transmitted “in the clear”. If you’re logging in via a pubic WiFi hotspot, this traffic is trivially easy to intercept.

      I am pretty careful about stuff like this. When I log in to public web sites from on the road, I always use an encrypted SSH tunnel to a SOCKS proxy I run on one of my home PCs. It’s the only way to be reasonably sure your traffic isn’t being sniffed. (In theory my ISP could still sniff the traffic, since it is unencrypted once it bounces through my SOCKS proxy; but at least I’m not broadcasting my login information to everyone else on the WiFi hotspot I’m using to access the ‘net!)

        • sjl
        • 9 years ago

        You’re right, I’m wrong, I misinterpreted. Shows what happens when you post whilst under the influence of a lack of sleep. Sorry.

    • indeego
    • 9 years ago

    THIS is what people freak out about? Not the lack of privacy controls in these services otherwiseg{

Pin It on Pinterest

Share This