Firefox extension makes Facebook 'sidejacking' easy

[Jos]

You might want to think twice before logging into your favorite websites when using an open Wi-Fi network. A new Firefox extension shows just how easy it is to snatch browser cookies sent over insecure connection for sites such as Facebook and Twitter, allowing malicious users to log into the same website via a process called HTTP session hijacking -- also known as sidejacking. The extension, dubbed Firesheep, was developed by freelance Seattle-based developer Eric Butler in an effort to push more websites into using full end-to-end encryption for logins.

Firesheep currently targets a few dozen popular sites, including Amazon, Facebook, Foursquare, Google, The New York Times, Twitter, Windows Live, Wordpress and Yahoo. But it is also customizable to target other websites not listed by the developer. Basically what the extension does is eavesdrop on any open Wi-Fi network and list captured cookies on a panel to the left. Typically, this cookie will not contain your password, but even without your password someone using Firesheep can simply load your session cookie with a click and gain access to your account.

In other words someone with access to your Yahoo Mail cookie could send an email on your behalf, with your Facebook he could access friend’s profiles and post messages, and so on. This problem doesn't really register when you're on a secure Wi-Fi network -- when WPA is enabled, for example. But of course there are ways to get around that as well.

Butler says moderately knowledgeable hackers were already exploiting this vulnerability, but by making it dead simple to use he hopes to raise awareness and compel sites to raise the bar on security. He also promised to release a new blog post in the next few hours that will help users protect themselves.

Permalink to story.

https://www.techspot.com/news/40847-firefox-extension-makes-facebook-sidejacking-easy.html

 

[posermobile89]

If two or more people are on a secured network, one of them using the firesheep extension, is it still possible for them to eavesdrop, or is it only possible (easily) for open networks?

 

[Burty117]

I think its only possible easily if its an unsecured network. Anyway I cannot believe websites such as facebook and yahoo mail don't use full end-to-end encryption for logins! I mean, theres always a story on the internet somewhere about these sites being exploited everyday yet they haven't really done much about it by the sounds of it?

 

[B00kWyrm]

One more reason to avoid FB completely!
In many ways they prove they really do not care about their user.
Unfortunately, like so many other areas of life, we become "dependent" for "function"
and so we "settle" and "suffer the consequences".

 

[kearnsy24]

It's just plain silly for people to use free wireless connections for their personal accounts and such. Just wait until you know you're on a secure connection and you have nothing to worry about.

 

[p51d007]

I have FF set to remove cookies on exit, plus using fasterfox to clean up after I shut FF
down.
The reason people get their info stolen is mostly because they don't secure their computers to start with. How many times have you fixed a friends computer and find their password(s) are something simple, and they run their sessions in ADMINISTRATOR mode?

 

[Fragrant Coit]

Surely a better approach for all concerned would be a WPA (or even WEP) key that changes every day & is perhaps printed on the reciept?

That way it's not Open, at least 1 person needs to make a purchase and it could be marketed as a "caring" implementation. I'm in no way endorsing the Cardboard Burger or Ersatz Coffee merchants etc, but am after a mutually beneficial solution.

Or, leave it open for everyone & their dog within the broadcast radius and let the Devil sort 'em out!

Probably the latter will out.

 

[freythman]

I'm not sure why people are so concerned about their privacy on Facebook, and the likes, anyway. If you are worried about private information becoming public, don't post it to social networking sites. Then you don't have to worry about how good of a steward they are with your data.

 

[Ranger12]

Eh, just avoid firefox. Easy enough.

 

[whiteandnerdy]

I'm with freythman on this. Don't post stuff you don't want anyone to find out.

 

[bioflex]

Ranger12 said:
Eh, just avoid firefox. Easy enough.

really?......i have been using firefox ever since i discovered it some years back and i dont think i am going back though i have tried opera and chrome too.

 

[Jos]

Eh, just avoid firefox. Easy enough.

It's not a Firefox problem, you could be using any browser. It's about unsecured wireless connections and websites not adopting encrypted HTTPS connections (usually they do this for the initial login but not the entire session)

 

[foreverzero89]

if it's NOT HTTPS it's not encrypted.

 

[Relic]

It's mind boggling that people still use free / open WiFi networks for private data in todays age. If you need to use these services on the go make sure your on an encrypted network at least and definitely in an https session.

@Fragrant Never ever use WEP encryption, it's garbage that gives people a false sense of security.

 

[TorturedChaos]

I never thought about how easy it is to grab information from open WiFi spots. Glad I don't use any of them .

 

[Elitassj4]

I don't see the point of facebook or other sites like that, and having a gazillion of "friends", i just can't wrap my head around that .

 

[jason4832]

Scary a bit, but lesson learned.

 

[rwright]

Public Wi-Fi does have its uses. Most people just arent aware of the hazards. Scarey but effective way to raise awareness. *clicks his link to post on Facebook from his secure home network*

 

[grimm808]

Good thing I try as much as possible to leave out important private, and personal things. Internets a dangerous place... It's almost as bad as leaving your Credit Card info on Xbox live, and then they try to keep billing you.

I also heard it's not all that difficult to steal personal info through Xbox live accounts too.

 

[TomSEA]

It's amazing how many unsecured Wi-Fi's there are out there. From my house, when I check for wireless connections, a dozen pop-up and at least 1/4 are unsecured.

But Facebook is a mess. In their effort to attract users, they've completely ignored security options.

 

[frodough]

wow has FF been made 'too powerful'? im not as code savvy and hearing that does raise a concern or ten.

 

[mikeusru]

This is like when the US nuked Japan to show them how dangerous nuclear weapons can be. Thanks, friends.

 

[therickster90]

I just tried it. I'm sitting here at school on an unsecured connection with 20 people on laptops around me and the only thing it is picking up is my gmail login, which is https. hmmm...at least I don't have facebook anymore.

 

[oasis789]

as long as you dont put anything impt on fb, youre safe from firesheep. doesn affect gmail or any other https service

 

[Puiu]

keep the extensions to the bare minimum and don't install stupid and useless ones. if you do that then you'll be fine. and also don't install toolbars as they are even worse than a bad written extension.