Los Angeles — Secure logins have become one of the most critical issues pertaining to web security today. Eric Butler, a Seattle-based freelance web application developer, the creator of a Firefox extension called Firesheep, has spurred anxiety with a new add-on program for the popular Web browser Firefox that allows virtually anyone to hijack other people’s accounts on popular websites like Facebook or Twitter, when connected over unsecured wireless networks and not using HTTPS.
At the ToorCon security conference, Butler demonstrated the newly released Firefox add-on called Firesheep, which virtually makes it effortless for anyone to intercept a Wi-Fi network and steal login details of Facebook, Twitter and several other services. Hackers can then sign into those sites posing as those users. This is one heck of a dangerous extension that indicates the security loophole in any website.
How Firesheep Works:
Firesheep is basically a packet sniffer that can analyze all the unencrypted Web traffic on an open Wi-Fi connection between a Wi-Fi router and the personal computers on the same network. Firesheep initiates a type of attack known as a session hijacking, which involves intercepting and stealing session cookies when they get transmitted over the air. Session cookies are small text files containing unique identifiers, which are stored inside the browser and are used by websites to determine if a user is logged in or not.
Firesheep targets 26 online services, and includes many popular online services such as Amazon, Facebook, Foursquare, Google, The New York Times, Twitter, Windows Live, WordPress and Yahoo. Hence, when a user logs into Amazon, for example, the users browser’s Amazon-specific cookie communicates with the site and contains personally identifying information such as your user name and an Amazon session number ID.
Firesheep does precisely that, however, it does that in such a simplistic way that requires little to no technical knowledge on behalf the attacker. The extension creates a sidebar in Firefox with a “Start Capturing” button. The moment this button is pressed, it starts scanning the WiFi traffic for cookies and displays a list of hijackable accounts.
All the hacker has to do is click on the desired account and they are in. It is as simple as that. Firesheep is session hijacking for dummies.
“This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users,” Butler writes.
“The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL,” he explains.
Butler says that he devised Firesheep extension for Firefox with an altruistic aim to point out the negligence of popular web services that follow weaker security measures. This Firesheep extension basically exploits the HTTP session hijacking over an open wireless network.
“Websites have a responsibility to protect the people who depend on their services. They have been ignoring this responsibility for too long, and it is time for everyone to demand a more secure web. My hope is that Firesheep will help the users win,” Butler concludes.
While Firesheep sounds scary, and once again rings the security alarm of using open Wi-Fi, the new Firefox extension is not as frightening as it sounds.