Firefox extension makes Facebook 'sidejacking' easy

By on October 26, 2010, 6:32 AM
You might want to think twice before logging into your favorite websites when using an open Wi-Fi network. A new Firefox extension shows just how easy it is to snatch browser cookies sent over insecure connection for sites such as Facebook and Twitter, allowing malicious users to log into the same website via a process called HTTP session hijacking -- also known as sidejacking. The extension, dubbed Firesheep, was developed by freelance Seattle-based developer Eric Butler in an effort to push more websites into using full end-to-end encryption for logins.

Firesheep currently targets a few dozen popular sites, including Amazon, Facebook, Foursquare, Google, The New York Times, Twitter, Windows Live, Wordpress and Yahoo. But it is also customizable to target other websites not listed by the developer. Basically what the extension does is eavesdrop on any open Wi-Fi network and list captured cookies on a panel to the left. Typically, this cookie will not contain your password, but even without your password someone using Firesheep can simply load your session cookie with a click and gain access to your account.


In other words someone with access to your Yahoo Mail cookie could send an email on your behalf, with your Facebook he could access friendís profiles and post messages, and so on. This problem doesn't really register when you're on a secure Wi-Fi network -- when WPA is enabled, for example. But of course there are ways to get around that as well.

Butler says moderately knowledgeable hackers were already exploiting this vulnerability, but by making it dead simple to use he hopes to raise awareness and compel sites to raise the bar on security. He also promised to release a new blog post in the next few hours that will help users protect themselves.




User Comments: 32

Got something to say? Post a comment
posermobile89 said:

If two or more people are on a secured network, one of them using the firesheep extension, is it still possible for them to eavesdrop, or is it only possible (easily) for open networks?

Burty117 Burty117, TechSpot Chancellor, said:

I think its only possible easily if its an unsecured network. Anyway I cannot believe websites such as facebook and yahoo mail don't use full end-to-end encryption for logins! I mean, theres always a story on the internet somewhere about these sites being exploited everyday yet they haven't really done much about it by the sounds of it?

B00kWyrm B00kWyrm, TechSpot Paladin, said:

One more reason to avoid FB completely!

In many ways they prove they really do not care about their user.

Unfortunately, like so many other areas of life, we become "dependent" for "function"

and so we "settle" and "suffer the consequences".

kearnsy24 said:

It's just plain silly for people to use free wireless connections for their personal accounts and such. Just wait until you know you're on a secure connection and you have nothing to worry about.

p51d007 said:

I have FF set to remove cookies on exit, plus using fasterfox to clean up after I shut FF

down.

The reason people get their info stolen is mostly because they don't secure their computers to start with. How many times have you fixed a friends computer and find their password(s) are something simple, and they run their sessions in ADMINISTRATOR mode?

Fragrant Coit Fragrant Coit said:

Surely a better approach for all concerned would be a WPA (or even WEP) key that changes every day & is perhaps printed on the reciept?

That way it's not Open, at least 1 person needs to make a purchase and it could be marketed as a "caring" implementation. I'm in no way endorsing the Cardboard Burger or Ersatz Coffee merchants etc, but am after a mutually beneficial solution.

Or, leave it open for everyone & their dog within the broadcast radius and let the Devil sort 'em out!

Probably the latter will out.

freythman freythman said:

I'm not sure why people are so concerned about their privacy on Facebook, and the likes, anyway. If you are worried about private information becoming public, don't post it to social networking sites. Then you don't have to worry about how good of a steward they are with your data.

Ranger12 Ranger12 said:

Eh, just avoid firefox. Easy enough.

whiteandnerdy said:

I'm with freythman on this. Don't post stuff you don't want anyone to find out.

bioflex said:

Ranger12 said:

Eh, just avoid firefox. Easy enough.

really?......i have been using firefox ever since i discovered it some years back and i dont think i am going back though i have tried opera and chrome too.

Staff
Jos Jos said:

Eh, just avoid firefox. Easy enough.

It's not a Firefox problem, you could be using any browser. It's about unsecured wireless connections and websites not adopting encrypted HTTPS connections (usually they do this for the initial login but not the entire session)

foreverzero89 said:

if it's NOT HTTPS it's not encrypted.

Relic Relic, TechSpot Chancellor, said:

It's mind boggling that people still use free / open WiFi networks for private data in todays age. If you need to use these services on the go make sure your on an encrypted network at least and definitely in an https session.

@Fragrant Never ever use WEP encryption, it's garbage that gives people a false sense of security.

TorturedChaos, TechSpot Chancellor, said:

I never thought about how easy it is to grab information from open WiFi spots. Glad I don't use any of them :P.

Elitassj4 said:

I don't see the point of facebook or other sites like that, and having a gazillion of "friends", i just can't wrap my head around that .

jason4832 said:

Scary a bit, but lesson learned.

rwright said:

Public Wi-Fi does have its uses. Most people just arent aware of the hazards. Scarey but effective way to raise awareness. *clicks his link to post on Facebook from his secure home network*

grimm808 said:

Good thing I try as much as possible to leave out important private, and personal things. Internets a dangerous place... It's almost as bad as leaving your Credit Card info on Xbox live, and then they try to keep billing you. >

I also heard it's not all that difficult to steal personal info through Xbox live accounts too.

TomSEA TomSEA, TechSpot Chancellor, said:

It's amazing how many unsecured Wi-Fi's there are out there. From my house, when I check for wireless connections, a dozen pop-up and at least 1/4 are unsecured.

But Facebook is a mess. In their effort to attract users, they've completely ignored security options.

frodough said:

wow has FF been made 'too powerful'? im not as code savvy and hearing that does raise a concern or ten.

mikeusru said:

This is like when the US nuked Japan to show them how dangerous nuclear weapons can be. Thanks, friends.

therickster90 said:

I just tried it. I'm sitting here at school on an unsecured connection with 20 people on laptops around me and the only thing it is picking up is my gmail login, which is https. hmmm...at least I don't have facebook anymore.

oasis789 said:

as long as you dont put anything impt on fb, youre safe from firesheep. doesn affect gmail or any other https service

Puiu Puiu said:

keep the extensions to the bare minimum and don't install stupid and useless ones. if you do that then you'll be fine. and also don't install toolbars as they are even worse than a bad written extension.

kaonis92 said:

In other words be very careful in what you are doing when connected to public networks!

ViNCiLiCiouS said:

therickster90 said:

I just tried it. I'm sitting here at school on an unsecured connection with 20 people on laptops around me and the only thing it is picking up is my gmail login, which is https. hmmm...at least I don't have facebook anymore.

Same here. Except I am trying it on my home network (WPA-PSK). I use my roommates computer (with her permission) to log into her Facebook and click random links. Nothing shows up.

It does, however, pick up my own credentials.

Thanks Firesheep!

AppleFanboy said:

This is why I use Safari.

xanthic42 said:

Old news to anyone that uses tcpdump/Wireshark or any other network sniffer if you know how to find the "session keys". Any unencrypted(or poorly encrypted) data can be intercepted for "bad" purposes. IE iPhones will send/receive all of their local bookmarks in plain text when they sync with the server. This doesn't even take into consideration "man in the middle" attacks.

For the comments along the lines of "don't put anything important and it isn't a problem." You are quite simply wrong if anyone on your friends list trusts that you are you. I could steal your FB account(and even better if I got access to your FB email account at the same time) and then pretend I was stranded somewhere you had mentioned traveling to recently, or as was the case in a recent FB chat exploit scam claim I was in London. And along with the notice, ask for money since I need to pay off some fee or another.

Tanstar said:

AppleFanboy said:

This is why I use Safari.

Which does you no good. This isn't a FF problem. It's a combination of using a public WiFi service and websites not encrypting your sessions. His FireFox extension would show all your Safari sessions too.

ruzveh said:

Its always better and safer to visit such private sites from your most secured location called HOME. I never try to access my emails and other pvt accounts outside of home network.

XnaX said:

I knew there was a catch with them fancy open Wi-Fi networks :P

limpangel limpangel said:

@p51d007: Deleting your cookie at FF exit doesn't help. The cookie is still transmitted when you use FF an that's when it is captured. FF deletes the cookie after you exit, but unless you log-out of the website (thus invalidating the session) the session cookie still remains on the sidejacker's computer and it can be used to acces your account.

@Fragrant Coit: Even if the password is changed every day doesn't help because the sidejacker is probably in the same cafe as you and probably has the pass already. The only thing is, he would need another tool to decrypt the data he captures.

@xanthic42: Of course you can use Wireshark, but it is not for everyone. This extension can be installed by not so technical people with just a few clicks and the access is instant.

@AppleFanboy, Ranger12: doesn't mater which web browser you use. You are still vulnerable to sidejacking. Have you even read the article???

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.