Nerds On Site

Firesheep + Open WiFi = Social Network Hacking Made (Really) Easy

[Thanks to Nerd Dennis Houseknecht for this post]
HTTP session hijacking (a.k.a. sidejacking) has been around for a while, but it always took a bit of hacking skill to make it work. The concept is pretty simple. Most social networking sites log you in using HTTPS, but then switch to HTTP because the connection overhead is lower. If you are on an insecure wifi network (one that does not use a password, or one that uses the same password for every user), HTTP traffic is easily intercepted – it is being broadcast to everyone withing wifi range.
Anyone intercepting the traffic can see what you see. This may not be such a big deal, BUT the session cookies can also be intercepted, which would allow a an attacker to do anything on the site that you can do – at least a long as you remain logged in. They have full access to your account until you log out.
Firesheep is a new Firefox extension that makes the whole process so easy your Grandma could do it. She wouldn\’t, because your Grandma is so sweet, and she wouldn\’t be interested in hacking Facebook anyway. The real problem is that now a \”script-kiddie\” can be any \”kiddie\” with a laptop.
What to do? If you are on a wired connection, or on a wirelsss connection that is secured by WPA or WPA2 and a strong password, you are safe. If you really MUST access social networking sites from an open wifi, there are Firefox extensions, such as https everywhere and force-tls, that attempt to force HTTPS for all connections, and not just for the login. Not all sites support this, though. Here are some links to more information:
http://www.securityweek.com/firesheep-extension-firefox-enables-hacking-masses-hijacks-browser-sessions-ease
http://techcrunch.com/2010/10/24/firesheep-in-wolves-clothing-app-lets-you-hack-into-twitter-facebook-accounts-easily/
http://techcrunch.com/2010/10/25/firesheep/

Leave a Comment

Your email address will not be published.

Scroll to Top