A newly released Firefox extension, allows virtually anyone to hijack other people's accounts on popular websites like Facebook or Twitter, when connected over open wireless networks and not using HTTPS.
The extension is called Firesheep and was released as an open source project by a software developer named Eric Butler, at the Toorcon 12 hacking conference this weekend.
performs a type of attack known as a session hijacking, which involves intercepting and stealing session cookies when they get transmitted over the air.
Session cookies are small text files containing unique identifiers, which are stored inside the browser and are used by websites to determine if a user is logged in or not.
These identifiers are sent in plain text with every request and can be easily intercepted by attackers connected through the same wireless network as the victim.
Firesheep does exactly that, but it does it in a way that requires little to no technical knowledge on behalf the attacker.
The extension creates a sidebar in Firefox with a "Start Capturing" button. Once this button is pressed, it starts scanning the WiFi traffic for cookies and displays a list of hijackable accounts.
All the attacker has to do is click on the desired account and they're in. It's as simple as that. Firesheep is session hijacking for dummies.
"This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users
," Eric Butler, writes.
"The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL
," he explains.
Very few widespread services have full-session HTTPS enabled by default. Gmail is one example. However, since other Google services sharing the same session cookie, don't, its security benefits are significantly reduced.
Facebook and Twitter also have SSL support, which can be enabled by accessing them with https:// in front, but few people actually use it.
"Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win
," Butler concludes.
We'd like to take this occasion and remind people of another Firefox extension called HTTPS Everywhere
, developed by the Electronic Frontier Foundation and the Tor Project, which can force HTTPS by default on a lot of popular websites.