Firefox add-on allows session hijacking of popular sites

By

'Firesheep' highlights lack of encryption.

A computer researcher has released a plug-in for the Firefox web browser that lets anyone scan open Wi-Fi networks and hijack Twitter and Facebook accounts.

Firefox add-on allows session hijacking of popular sites

The add on, called “Firesheep”, was released at the ToorCon security conference in San Diego by Eric Butler, a Seattle-based web application and software developer.

Butler designed the add-on to highlight the danger of accessing unencrypted websites via public Wi-Fi networks, according to a blog post.

Websites commonly protect users' passwords by encrypting the initial login, Butler said. However, many popular sites – including Facebook and Twitter – do not use end-to-end HTTPS or SSL encryption to safeguard sessions, leaving them vulnerable to an attack known as "HTTP session hijacking", which allows an attacker to obtain a user's cookie to take over their account. 

“This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users,” Butler wrote.

Facebook, for example, has not implemented end-to-end SSL or HTTPS encryption, according to Butler.

A Facebook spokesman told SCMagazineUS.com that users should be cautious when sending or receiving information over unsecured Wi-Fi networks. 

“We have been making progress testing SSL access across Facebook and hope to provide it as an option in the coming months,” the spokesman said.

Firesheep adds a sidebar to Firefox that can be used to connect to an open Wi-Fi network, Butler explained. Once connected, the extension displays the name and photo of anyone on the network who visits an unsecured website.

“Double-click on someone, and you're instantly logged in as them,” he wrote.

The add-on has been downloaded more than 177,000 times since it became available on Sunday. It also has ranked as a "trending" topic on Twitter and Google.

Butler said he hopes the new add-on will encourage websites to take security more seriously.

“Websites have a responsibility to protect the people who depend on their services,” he wrote. “They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win."

See original article on scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
addonallowsfirefoxhijackingofpopularsecuritysessionsites

Sponsored Whitepapers

Datacom + Microsoft Azure: Turn Ideas Into Impact in Just 4 Weeks
Datacom + Microsoft Azure: Turn Ideas Into Impact in Just 4 Weeks
Protect APIs. Protect Your Business.
Protect APIs. Protect Your Business.
KnowBe4 Benchmark Report: Reducing Human Risk & Phishing Vulnerability in ANZ
KnowBe4 Benchmark Report: Reducing Human Risk & Phishing Vulnerability in ANZ
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Saviynt Simplifies GRC and Access Control for SAP and Beyond

Events

Most Read Articles

SA Water plans 'once-in-a-generation' core technology uplift

SA Water plans 'once-in-a-generation' core technology uplift
Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks
WhatsApp banned on US House of Representatives devices

WhatsApp banned on US House of Representatives devices
Victoria's first government tech chief steps down

Victoria's first government tech chief steps down
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?