Firefox add-on lets users hijack web-browsing sessions
The add-on, dubbed ‘Firesheep’, was released by Eric Butler, a Seattle-based freelance web application developer, during the ToorCon security conference, which took place in California recently.
Butler said he created Firesheep to show the danger of accessing unencrypted websites from public Wi-Fi spots.
Although it’s common for sites to encrypt user log-ons with HTTPS or SSL, few encrypt the actual traffic. “This leaves the cookie, and the user, vulnerable,” said Butler in a post to his blog . “On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.”
Butler has yet to reply to a request for an interview.
“None of this is new, the flaw certainly isn’t,” said Richard Wang, the US manager of SophosLabs, the research arm of security company Sophos. “But Firesheep makes it so easy to discover [unencrypted traffic and cookies] that pretty much anyone can use it to listen to what others are doing at public hotspots.”
Firesheep adds a sidebar to Mozilla’s Firefox browser that shows when anyone on an open network – such as a coffee shop’s Wi-Fi network – visits an insecure site. “Double-click on someone [in the sidebar] and you’re instantly logged on as them,” said Butler in his short description of his add-on.
The add-on appears to be irresistible: Since Butler posted Firesheep, it’s been downloaded nearly 50,000 times.
Butler created Firesheep to illustrate the wide-ranging problem of unencrypted sites and public networks. “Websites have a responsibility to protect the people who depend on their services,” he said. “They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. my hope is that Firesheep will help the users win.”
Wang was hopeful that the add-on would prompt more sites to encrypt their sessions. “The hope here is of increased use of HTTPS,” he said. but he also urged more public network to secure users, although he acknowledged the logistics – handing out passwords necessary to connect – would be daunting. “It’s the old ’security-versus-convenience’ argument,” he noted.
Users can protect themselves, said Wang, by refusing to access insecure sites while at open networks, or for the technically inclined, by relying on a secure proxy server, perhaps one run on their work machine, which their laptops would in turn access.
“But that’s not a solution for the average user,” Wang admitted.
Firesheep, which works with the Windows and Mac OS X versions of Firefox, can be downloaded free-of-charge from the GitHub site.
Butler is working on Firesheep for the Linux edition of Firefox.
See also: Mozilla patches 12 bugs in Firefox
Popularity: 1% [?]