A freelance software developer has created a Firefox plug-in that allows the user to scan a network and steal cookies for hijacking user accounts.
Monday at the ToorCon 12 security conference, Seattle-based freelance software developer Eric Butler a announced the release of Firesheep,Firefox plug-in that allows a user to scan a Wi-Fi network and hijack another user's access to Twitter, Facebook and many other websites.
According to Butler, the plug-in was created to show how popular websites still leave users exposed despite their "privacy" feature upgrades.
"It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else," he said. "This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy."
Butler suggested that it was pointless to roll out new privacy features when someone can take over the account by accessing cookies. He said that the only real way to resolve the issue is for Facebook and other sites to offer full end-to-end encryption via HTTPS or SSL. "When it comes to user privacy, SSL is the elephant in the room," he added.
Firesheep appears frighteningly simple. After the initial installation, users will see a new sidebar in the Firefox browser located to the left. This area provides a "Start Capturing" button they can press after connecting to an open network. Once another unsuspecting network user accesses a known insecure website, the plug-in will display their name and photo under the button. The Firesheep user can then click on the name and log onto their account.
Currently Firesheep can be downloaded here for Windows and OS X, however Windows users will need to install WinPcap first.
Tuesday Butler said that Firesheep had become the #10 trending search on Google in the U.S. The plug-in has also been downloaded 129,000 over the past twenty-four hours and has become one of the “Top Tweets” on Twitter. "I’ve received a ton of great messages from people who are happy that this issue has finally received widespread attention, so after day one I’m happy with the result," he said.
Monday at the ToorCon 12 security conference, Seattle-based freelance software developer Eric Butler a announced the release of Firesheep,Firefox plug-in that allows a user to scan a Wi-Fi network and hijack another user's access to Twitter, Facebook and many other websites.
According to Butler, the plug-in was created to show how popular websites still leave users exposed despite their "privacy" feature upgrades.
"It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else," he said. "This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy."
Butler suggested that it was pointless to roll out new privacy features when someone can take over the account by accessing cookies. He said that the only real way to resolve the issue is for Facebook and other sites to offer full end-to-end encryption via HTTPS or SSL. "When it comes to user privacy, SSL is the elephant in the room," he added.
Firesheep appears frighteningly simple. After the initial installation, users will see a new sidebar in the Firefox browser located to the left. This area provides a "Start Capturing" button they can press after connecting to an open network. Once another unsuspecting network user accesses a known insecure website, the plug-in will display their name and photo under the button. The Firesheep user can then click on the name and log onto their account.
Currently Firesheep can be downloaded here for Windows and OS X, however Windows users will need to install WinPcap first.
Tuesday Butler said that Firesheep had become the #10 trending search on Google in the U.S. The plug-in has also been downloaded 129,000 over the past twenty-four hours and has become one of the “Top Tweets” on Twitter. "I’ve received a ton of great messages from people who are happy that this issue has finally received widespread attention, so after day one I’m happy with the result," he said.
WHOA thats pretty crazy. WPA is with a hex is the way to go! :p
RispondiEliminaI have heard of this before but its kinda nice to know how it works, thanks man
RispondiEliminafullowin 'n' suppin :)
RispondiEliminawtfiniggagun
following and supporting
RispondiEliminalol! funny! I hate those facebooktards
RispondiEliminanice tool :P i hate fcbk too
RispondiEliminaExactly why I disable all my Firefox addons.
RispondiEliminaNice blog, followed ;) Come follow mine :)
Lol nice :D
RispondiEliminaI've been reading about this guy, nice defamation of character hack. :D
RispondiEliminaI read about this. I am surprised that it is so easy to access other peoples accounts.
RispondiEliminai will download this add on :D
RispondiEliminawow just wow o_O
RispondiEliminawow, is there a way to fix this security hole?
RispondiEliminayup smart people use chrome
RispondiEliminaWhat can we do to protect ourselves?
RispondiEliminaWow really??? Thanks for the info man.
RispondiEliminaScary..
RispondiEliminaThis is just the renewal of old school applications like Wireshark and Ethereal. Nothing that wasn't already possible, just employs more GUI.
RispondiEliminasaw this, kinda scary
RispondiEliminais there anything firefox addons cant do
RispondiEliminaMy facebook account got Hijacked and they wont let me log in anymore unless i recognize a random set of friends i have which I don't know half of them very well. It seems like facebook is offering me several friends a day I don't even know. Though I'm smart enough not to add them on my new fb. I did have a wireless modem at the time but it must be hard to get in ? idk.....
RispondiElimina