Firefox extension makes session hijacking easy

You might want to think twice about logging into your Facebook account or Tweeting the next time you’re on a public Wi-Fi hotspot. As TechCrunch reports, a new Firefox extension called Firesheep is causing quite a stir. It allows basically anyone to harvest other users’ log-in information with a simple, easy-to-use interface. In the words of the Firesheep website, "As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed. . . . Double-click on someone, and you’re instantly logged in as them."

The Firesheep information page provides some interesting background information. In short, the developer seems to be taking an ends-justify-the-means approach to helping secure popular websites:

It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.
This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL

The extension is available free of charge for Windows and Mac OS X, and the source code can be downloaded here. You may start panicking in three, two, one…

Comments closed
    • ssway
    • 12 years ago

    Against who? HTTP?

    • liquidsquid
    • 12 years ago

    If anything this makes it very easy to see if your own system is open (to see what residue is lying about) and to easily show your significant others how scarily easy it is to loose your identity. This is pretty cool, I I can say is thank God my paranoia prevents me from using public access points to begin with…

    It is like not wearing a condom in a whorehouse.

    • albundy
    • 12 years ago

    yay! identity theft. class action anyone?

    • indeego
    • 12 years ago

    Sure they will, just use open source, penetration tested, encrypted transport and storage for your communication, and don’t rely on 3rd partiesg{<.<}g

    • kakao
    • 12 years ago

    The reason most sites will only use ssl on login pages is that most browsers do not cache ssl content unless the site set the served content’s HTTP Cache-Control header to public. Setting some of the content (as images) as publicly cached has the nasty side effect of showing a security warning to the user stating that some of the contents of the page are not secure and so the user now thinks the site is less secure than when the site is not served with ssl. What will the site owners do if they risk loosing its customers when they try to make the site safer? They will just don’t make the site safer. If the replies to this article (in a geek site) is an indication of the cluelessness of the users then the situation will not be improved.

    • kakao
    • 12 years ago

    As in general, according to the article, the login page is encrypted the password can’t be stolen. But obviously if the attacker can impersonate the user the password could be changed.

    • blastdoor
    • 12 years ago

    That advice is clearly correct, and I don’t think anyone disputes it.

    But I think that another point is being made here. Having the ability to communicate with a group of friends on the internet with the same expectation of privacy as when communicating with the same group of friends face-to-face (in which case the privacy risk is the nature of your friends, not the nature of the communication medium) would be a valuable thing. Facebook pretends to offer that ability, but in reality does not. There are clear, concrete things that they could do to get much closer to actually providing that level of security but they choose not to do those things.

    Of course, given the way things are going with governments around the world, we may soon reach a point (if we haven’t already) where the privacy policies of any company are irrelevant, because the government will always have the ability to come in and take all the private information they want, without a warrant. In which case the advice “don’t express any thought through an electronic medium that you don’t want the entire world to see” will be even more applicable, thereby making electronic mediums even less useful.

    • just brew it!
    • 12 years ago

    In general, wired corporate networks should be safe from this sort of attack. I am assuming that this thing works by putting the network interface into “promiscuous” mode, where it listens to all traffic (not just traffic directed at the system it’s running on). But modern Ethernet networks are switched — only nodes that the traffic actually passes through can see the packets. You would need to be running the exploit on one of the routers, or in a VM on the machine of the user you’re trying to hack.

    I suppose if you’re on a really ancient 10 mbit network or an old 100 mbit network (with hubs instead of switches) you’d be vulnerable. But this seems like it is primarily a WiFi exploit.

    • Bensam123
    • 12 years ago

    lol…

    How much do you want to bet websites still wont do anything about this even though it’s so blatantly obvious? I can see why the author of the plugin is doing this, add a bit of advertisement and maybe it’ll become popular and websites will crackdown on it.

    • Bensam123
    • 12 years ago

    This makes it very, very easy… in other words it isn’t as easy to dodge the bullet by thinking people don’t know how to do attacks like these.

    • Prospero424
    • 12 years ago

    Well, that was kind of my point: that this has the potential to raise awareness, at least a little bit.

    • MadManOriginal
    • 12 years ago

    ‘We’ doesn’t apply when it’s people who don’t even the slightest clue wtf a ‘secure login’ is and the free WiFi spots are being used by everyone with a cheap CE device.

    • voodootronix
    • 12 years ago

    Be interesting to see if TR take a bit of initiative on this and implement a https/SSL based login – if it’s as straightforward/computationally affordable as other commenters have implied I’d like to see it. Geeky websites should use advanced tech, right?

    • just brew it!
    • 12 years ago

    Dunno about GB/sec, but certainly at least in the 10s or 100s of MB/sec, which is more than enough.

    • l33t-g4m3r
    • 12 years ago

    lol. It’s a double standard. They can datamine all they want since they’re “professionals”, but you’re not allowed to.
    I say dump it and support better alternatives:
    §[<http://www.joindiaspora.com/index.html<]§

    • Prospero424
    • 12 years ago

    So what’s changed?

    We already knew it was a bad idea to access secure information on insecure services using insecure networks.

    I guess I kind of see this as a good thing. All of this was already fairly trivial to do for those inclined to engage in this sort of snooping. This software serves to put a giant sign up saying “THIS IS HOW EASY IT IS TO STEAL YOUR PASSWORD, IDIOTS”.

    Maybe now individuals who frequently use unsecured WiFi and, more importantly, the businesses who offer unsecured WiFi will finally start paying attention to something they should have been paying attention to for the past 10 friggin’ years. Maybe now they’ll learn about transparent security features like Access Point (layer 2) Isolation and actually implement them. Maybe now end users will begin to appreciate the importance of SSL and secured sites.

    [BruceCampbell]Yeah, and maybe I’m a Chinese jet pilot.[BruceCampbell]

    • thedosbox
    • 12 years ago

    I love how the knee-jerk reaction is to rant against social networking sites and completely miss the point:

    §[<http://github.com/codebutler/firesheep/wiki/Handlers<]§ Take a closer look at the sites listed there - e.g. Amazon, craigslist, ebay, netflix, NY Times, Paypal. Just noticed that TR doesn't use SSL on the reply form, so it would be equally vulnerable.

    • eitje
    • 12 years ago

    I wonder if this works on corporate networks.

    • Corrado
    • 12 years ago

    You can share info, but don’t share anything you don’t want the world to see. You share pics of you out with your friends, or at a concert or whatever. Don’t show pics of you passed out drunk on the floor.

    §[<http://theoatmeal.com/comics/facebook_suck<]§ read this.

    • Firestarter
    • 12 years ago

    Unlimited marketing potential, as well as pics of boobs.

    • axeman
    • 12 years ago

    That’s what someone linked earlier… There is no real excuse for these cheesy setups anymore. Very few sites seem to support anything more than RC4 as well, purportedly this is for speed reasons, but that argument doesn’t really hold up anymore either.

    §[<http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html<]§

    • djgandy
    • 12 years ago

    I don’t know but I’d imagine that CPU utilisation for basic web applications / requests is far less than bandwidth requirements. In relation to the database queries the SSL cost has to be nothing right?

    With newer Intel hardware with built in encryption ops I’d imagine AES becomes even less costly.

    I’d guess that modern cores can encrypt GB/s of data.

    • Meadows
    • 12 years ago

    What does one gain with a zillion FB accounts?

    • Firestarter
    • 12 years ago

    I hardly ever use open wireless networks anyway. Many don’t even bother with them anyway, as they just check facebook with their 3G connected smartphones.

    Speaking of which, how’s the firewall situation on smartphones anyway? Any hope of scanning for known vulnerabilities and hijack about a zillion facebook accounts that way?

    • sjl
    • 12 years ago

    You’re right, I’m wrong, I misinterpreted. Shows what happens when you post whilst under the influence of a lack of sleep. Sorry.

    • indeego
    • 12 years ago

    And I’ll say it again: /[

    • Bauxite
    • 12 years ago

    I’ve always thought that some of these social sites like facebook were deliberately and intentionally designed from the start to collect information for other uses, the money from advertising and other “public” sources was just for maintenance and show.

    Having a joke of security model would give you a nice and easy “defense” if ever accused/sued or legislated against for giving out peoples information without their explicit consent. (read: not eula weaseled/false interface/changing terms every month and requiring opt outs etc)

    Go ahead, call me paranoid, but its a fact that 3rd party mine this data and have wide access to it.

    If people want to use it, fine, but drop the pretense of lying to them and pretending any of the data is not visible to those willing to pay or trade for it.

    • blastdoor
    • 12 years ago

    Well, yeah…. BUT that isn’t the way facebook markets themselves. They intentionally create the illusion that users have control over who sees their stuff. If all FB said was “use our site at your own risk — our privacy controls are either sucky or nonexistent” they probably wouldn’t have a lot of users.

    You can say that people are stupid sheep etc, but to a certain extent we’re all stupid sheep. There’s a reason that fraud and con scams are illegal. If fraud and con games weren’t illegal, then there wouldn’t be enough time in the day for everyone to defend themselves against everyone who’s trying to scam them out of something. Modern society can only function with a certain level of trust between strangers.

    • just brew it!
    • 12 years ago

    I believe you are mistaken — it does not appear to be opt-in to me. The problem is that many web sites (this one included!) do not use SSL encryption during login, so user names, passwords, and cookies are transmitted “in the clear”. If you’re logging in via a pubic WiFi hotspot, this traffic is trivially easy to intercept.

    I am pretty careful about stuff like this. When I log in to public web sites from on the road, I always use an encrypted SSH tunnel to a SOCKS proxy I run on one of my home PCs. It’s the only way to be reasonably sure your traffic isn’t being sniffed. (In theory my ISP could still sniff the traffic, since it is unencrypted once it bounces through my SOCKS proxy; but at least I’m not broadcasting my login information to everyone else on the WiFi hotspot I’m using to access the ‘net!)

    • axeman
    • 12 years ago

    Thanks for the link, that’s what I suspected.

    l[

    • jwb
    • 12 years ago

    According to this blog, the cost to switch GMail to SSL was near zero. §[<http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html<]§

    • jwb
    • 12 years ago

    I’m not sure how you formed this belief. The extension allows you to impersonate anyone on your LAN who is using these sites. The victim does not need to install anything.

    Note that this has always been possible. This guy is just putting a very easy interface on it.

    • kcarlile
    • 12 years ago

    From all that I’ve read, it’s not. One person with it can hijack anyone on the same network, whether they’ve got it or not. Wouldn’t be much of a proof of concept if it didn’t work like that, would it?

    • Corrado
    • 12 years ago

    I’ve said it before, and I’ll say it again. Facebook doesn’t make you put anything in other than your name and an email address. Anything else you post/share/whatever is purely your choice. If you don’t want something to be shared, DON’T SHARE IT. You wouldn’t put a photo on a bulletin board at work and put a piece of paper over it and say ‘Only for Bill, Bob, Sue and Mary to look at’ and expect it to remain private.

    Don’t put things in places that you don’t own and then get uppity when other people see it.

    • destroy.all.monsters
    • 12 years ago

    Of course since it is always the messenger that gets the blame. People want to live in their snugglies of delusion.

    • axeman
    • 12 years ago

    As I understand it, this practice is commonplace because it puts less load on the server. This is also why many sites don’t do anything higher than 128-bit RC4. The real question is whether this is really an issue anymore, or just a bad habit that’s a holdover from when hardware was more costly.

    • sjl
    • 12 years ago

    From the looks of it, this is an opt-in system. Install the extension, and you can be anybody else who has installed the extension.

    Which puts it on the right side of the very thin ethical line, in my book.

    Of course, there’s the concern that the unethical bunch might modify the extension to install surreptitiously and play silly buggers behind people’s backs, but then, let’s be honest here – if the bad guys can install arbitrary programs on your computer, you’ve lost, regardless of the end-to-end security of the web connection.

    • indeego
    • 12 years ago

    THIS is what people freak out about? Not the lack of privacy controls in these services otherwiseg{

Pin It on Pinterest

Share This

Share this post with your friends!