Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

New Firefox add-on hacks in to Facebook and Twitter sessions

The add on dubbed 'Firesheep' was created to show the danger of accessing unencrypted sites from public Wi-Fi areas

Article comments

A new Firefox add-on lets "pretty much anyone" scan a Wi-Fi network and hijack others' access to Facebook, Twitter and a host of other services, a security researcher warned today.

The add-on, dubbed "Firesheep," was released Sunday by Eric Butler, a Seattle-based freelance web application developer, at the ToorCon security conference, which ran Oct 22-24 in San Diego, Calif.

Butler said he created Firesheep to show the danger of accessing unencrypted Web sites from public Wi-Fi spots.

Although it's common for sites to encrypt user log-ons with HTTPS or SSL, few encrypt the actual traffic. "This leaves the cookie, and the user, vulnerable," said Butler in a post to his personal blog . "On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy."

With a user's cookie in hand, a criminal can do anything the user can do on a site, Butler noted. Among the sites that Firesheep can hijack are Facebook , Twitter , Flickr, bit.ly, Google and Amazon.

Butler did not reply to an interview request Monday.

"None of this is new, the flaw certainly isn't," said Richard Wang, the U.S. manager of SophosLabs, the research arm of UK-based security company Sophos. "But Firesheep makes it so easy to discover [unencrypted traffic and cookies] that pretty much anyone can use it to listen to what others are doing at public hotspots."

New Firefox add-on hacks in to Facebook and Twitter sessionsFiresheep adds a sidebar to Mozilla's Firefox browser that shows when anyone on an open network -- such as a coffee shop's Wi-Fi network -- visits an insecure site. "Double-click on someone [in the sidebar] and you're instantly logged on as them," said Butler in his short description of his add-on.

The add-on appears to be irresistible: Since Butler posted Firesheep on Sunday it's been downloaded nearly 50,000 times.

Butler created Firesheep to illustrate the wide-ranging problem of unencrypted sites and public networks. "Web sites have a responsibility to protect the people who depend on their services," he said. "They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure Web. My hope is that Firesheep will help the users win."

Wang was hopeful that the add-on would prompt more sites to encrypt their sessions. "The hope here is of increased use of HTTPS," he said. But he also urged more public network to secure users, although he acknowledged the logistics, handing out passwords necessary to connect, would be daunting. "It's the old 'security-versus-convenience' argument," he noted.

Users can protect themselves, said Wang, by refusing to access insecure sites while at open networks, or for the technically inclined, by relying on a secure proxy server, perhaps one run on their work machine, which their laptops would in turn access.

"But that's not a solution for the average user," Wang admitted.

Firesheep, which works with the Windows and Mac OS X versions of Firefox, can be downloaded free-of-charge from the GitHub site.

Butler is working on Firesheep for the Linux edition of Firefox.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *