New Firefox add-on hijacks Facebook, Twitter sessions

A new Firefox add-on lets "pretty much anyone" scan a Wi-Fi network and hijack others' access to Facebook, Twitter and a host of other services.

A new Firefox add-on lets "pretty much anyone" scan a Wi-Fi network and hijack others' access to Facebook, Twitter and a host of other services, a security researcher warned today.

The add-on, dubbed "Firesheep," was released Sunday by Eric Butler, a Seattle-based freelance Web application developer, at the ToorCon security conference, which ran Oct 22-24 in San Diego, Calif.

Butler said he created Firesheep to show the danger of accessing unencrypted Web sites from public Wi-Fi spots.

Although it's common for sites to encrypt user log-ons with HTTPS or SSL, few encrypt the actual traffic. "This leaves the cookie, and the user, vulnerable," said Butler in a post to his personal blog . "On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy."

With a user's cookie in hand, a criminal can do anything the user can do on a site, Butler noted. Among the sites that Firesheep can hijack are Facebook , Twitter , Flickr, bit.ly, Google and Amazon.

Butler did not reply to an interview request Monday.

"None of this is new, the flaw certainly isn't," said Richard Wang, the U.S. manager of SophosLabs, the research arm of U.K.-based security company Sophos. "But Firesheep makes it so easy to discover [unencrypted traffic and cookies] that pretty much anyone can use it to listen to what others are doing at public hotspots."

Firesheep adds a sidebar to Mozilla's Firefox browser that shows when anyone on an open network -- such as a coffee shop's Wi-Fi network -- visits an insecure site. "Double-click on someone [in the sidebar] and you're instantly logged on as them," said Butler in his short description of his add-on.

The add-on appears to be irresistible: Since Butler posted Firesheep on Sunday it's been downloaded nearly 50,000 times.

Butler created Firesheep to illustrate the wide-ranging problem of unencrypted sites and public networks. "Web sites have a responsibility to protect the people who depend on their services," he said. "They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure Web. My hope is that Firesheep will help the users win."

Wang was hopeful that the add-on would prompt more sites to encrypt their sessions. "The hope here is of increased use of HTTPS," he said. But he also urged more public network to secure users, although he acknowledged the logistics -- handing out passwords necessary to connect -- would be daunting. "It's the old 'security-versus-convenience' argument," he noted.

Users can protect themselves, said Wang, by refusing to access insecure sites while at open networks, or for the technically inclined, by relying on a secure proxy server, perhaps one run on their work machine, which their laptops would in turn access.

"But that's not a solution for the average user," Wang admitted.

Firesheep, which works with the Windows and Mac OS X versions of Firefox, can be downloaded free-of-charge from here.

Additional information on Firesheep can also be found here.

Butler is working on Firesheep for the Linux edition of Firefox.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Facebooktwittersocial networkingFirefox

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Essentials

Mobile

Exec

Budget

Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?