Firefox add-on allows session hijacking of popular sites

A computer researcher has released a plug-in for the Firefox web browser that lets anyone scan open Wi-Fi networks and hijack Twitter and Facebook accounts.

The add on, called “Firesheep”, was released at the ToorCon security conference in San Diego by Eric Butler, a Seattle-based web application and software developer.

Butler designed the add-on to highlight the danger of accessing unencrypted websites via public Wi-Fi networks, according to a blog post.

Websites commonly protect users' passwords by encrypting the initial login, Butler said. However, many popular sites – including Facebook and Twitter – do not use end-to-end HTTPS or SSL encryption to safeguard sessions, leaving them vulnerable to an attack known as "HTTP session hijacking", which allows an attacker to obtain a user's cookie to take over their account. 

“This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users,” Butler wrote.

Facebook, for example, has not implemented end-to-end SSL or HTTPS encryption, according to Butler.

A Facebook spokesman told SCMagazineUS.com that users should be cautious when sending or receiving information over unsecured Wi-Fi networks. 

“We have been making progress testing SSL access across Facebook and hope to provide it as an option in the coming months,” the spokesman said.

Firesheep adds a sidebar to Firefox that can be used to connect to an open Wi-Fi network, Butler explained. Once connected, the extension displays the name and photo of anyone on the network who visits an unsecured website.

“Double-click on someone, and you're instantly logged in as them,” he wrote.

The add-on has been downloaded more than 177,000 times since it became available on Sunday. It also has ranked as a "trending" topic on Twitter and Google.

Butler said he hopes the new add-on will encourage websites to take security more seriously.

“Websites have a responsibility to protect the people who depend on their services,” he wrote. “They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win."

See original article on scmagazineus.com