also @ TechSpot: Oculus Rift secures $16 million in Series A round of funding

Firefox extension makes Facebook 'sidejacking' easy

By

On October 26, 2010, 6:32 AM

You might want to think twice before logging into your favorite websites when using an open Wi-Fi network. A new Firefox extension shows just how easy it is to snatch browser cookies sent over insecure connection for sites such as Facebook and Twitter, allowing malicious users to log into the same website via a process called HTTP session hijacking -- also known as sidejacking. The extension, dubbed Firesheep, was developed by freelance Seattle-based developer Eric Butler in an effort to push more websites into using full end-to-end encryption for logins.

Firesheep currently targets a few dozen popular sites, including Amazon, Facebook, Foursquare, Google, The New York Times, Twitter, Windows Live, Wordpress and Yahoo. But it is also customizable to target other websites not listed by the developer. Basically what the extension does is eavesdrop on any open Wi-Fi network and list captured cookies on a panel to the left. Typically, this cookie will not contain your password, but even without your password someone using Firesheep can simply load your session cookie with a click and gain access to your account.


In other words someone with access to your Yahoo Mail cookie could send an email on your behalf, with your Facebook he could access friend’s profiles and post messages, and so on. This problem doesn't really register when you're on a secure Wi-Fi network -- when WPA is enabled, for example. But of course there are ways to get around that as well.

Butler says moderately knowledgeable hackers were already exploiting this vulnerability, but by making it dead simple to use he hopes to raise awareness and compel sites to raise the bar on security. He also promised to release a new blog post in the next few hours that will help users protect themselves.

,

32 comments

User Comments: 32

Got something to say? Post a comment
  1. October 26, 2010 7:03 PM
    ViNCiLiCiouS said:

    therickster90 said:

    I just tried it. I'm sitting here at school on an unsecured connection with 20 people on laptops around me and the only thing it is picking up is my gmail login, which is https. hmmm...at least I don't have facebook anymore.

    Same here. Except I am trying it on my home network (WPA-PSK). I use my roommates computer (with her permission) to log into her Facebook and click random links. Nothing shows up.

    It does, however, pick up my own credentials.

    Thanks Firesheep!

    Reply
  2. October 26, 2010 9:03 PM
    AppleFanboy said:

    This is why I use Safari.

    Reply
  3. October 26, 2010 9:38 PM
    xanthic42 said:

    Old news to anyone that uses tcpdump/Wireshark or any other network sniffer if you know how to find the "session keys". Any unencrypted(or poorly encrypted) data can be intercepted for "bad" purposes. IE iPhones will send/receive all of their local bookmarks in plain text when they sync with the server. This doesn't even take into consideration "man in the middle" attacks.

    For the comments along the lines of "don't put anything important and it isn't a problem." You are quite simply wrong if anyone on your friends list trusts that you are you. I could steal your FB account(and even better if I got access to your FB email account at the same time) and then pretend I was stranded somewhere you had mentioned traveling to recently, or as was the case in a recent FB chat exploit scam claim I was in London. And along with the notice, ask for money since I need to pay off some fee or another.

    Reply
  4. October 26, 2010 11:03 PM
    Tanstar said:

    AppleFanboy said:

    This is why I use Safari.

    Which does you no good. This isn't a FF problem. It's a combination of using a public WiFi service and websites not encrypting your sessions. His FireFox extension would show all your Safari sessions too.

    Reply
  5. October 26, 2010 11:20 PM
    ruzveh said:

    Its always better and safer to visit such private sites from your most secured location called HOME. I never try to access my emails and other pvt accounts outside of home network.

    Reply
  6. October 27, 2010 3:22 AM
    XnaX said:

    I knew there was a catch with them fancy open Wi-Fi networks :P

    Reply
  7. October 27, 2010 11:25 AM
    limpangel
    limpangel said:

    @p51d007: Deleting your cookie at FF exit doesn't help. The cookie is still transmitted when you use FF an that's when it is captured. FF deletes the cookie after you exit, but unless you log-out of the website (thus invalidating the session) the session cookie still remains on the sidejacker's computer and it can be used to acces your account.

    @Fragrant Coit: Even if the password is changed every day doesn't help because the sidejacker is probably in the same cafe as you and probably has the pass already. The only thing is, he would need another tool to decrypt the data he captures.

    @xanthic42: Of course you can use Wireshark, but it is not for everyone. This extension can be installed by not so technical people with just a few clicks and the access is instant.

    @AppleFanboy, Ranger12: doesn't mater which web browser you use. You are still vulnerable to sidejacking. Have you even read the article???

    Reply

Recently commented stories

Comments page: 1 2

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.
TechSpot on:

Most Popular

Trending Featured
More Trending Topics

Downloads and Drivers

Downloads   Drivers  

Faceless Internet Connection 1.3.12

Snapchat 2.1.0

Light Alloy 4.7.0

Speccy 1.21.491

Tweak-SSD 1.0.20

More Downloads

From the Forums

Windows Explorer Is Not Responding 9 replies on Virus and Malware Removal

win64/Patched.A in services.exe 10 replies on Virus and Malware Removal

Help with Win64/Patched.A 46 replies on Virus and Malware Removal

Possible infection 9 replies on Virus and Malware Removal

Win64 Patched.a and other crap 10 replies on Virus and Malware Removal

More Recent Discussion

Subscribe to TechSpot

Get free exclusive content, learn about new features and breaking tech news.