I’ve recently stumbled upon a story about a web browser extension that, in my opinion, is one of the biggest mainstream security vulnerabilities in existence right now.
The browser in question is Firefox, and although it’s been gaining in popularity over the last couple of years, it’s also becoming more prone to hacks. Firefox is a great browser and is popular among tech savvy folks because of its ability to be customized using extensions or plug-ins. This particular extension has been downloaded well over 600,000 times so it is definitely becoming an issue. Why? Read on.
Now don’t be too alarmed here. This issue only applies to areas with open Wi-Fi, such as a library or internet cafe; but some communities, such as my hometown of Owen Sound, are opening up Wi-Fi to be freely used to some capacity. And what most patrons of these places will do is check their email, go on Twitter or Facebook, or just about any other social site that requires a log-in.
Let’s use Facebook for an example here. You’re logged into Facebook, and when you do that, Facebook sends you a cookie, or token, which your computer uses during the length of your session. This is so you don’t have to log in to see each page you visit in Facebook; they see that it’s you each time you click on a link and think, “OK, it’s just you. You can access that page.”
Now, if someone can get in the middle of that session and grab that cookie, they can impersonate you for the duration of that session, which gives them the freedom to update your status, do friend requests, etc. This is scary, and was a non-trivial attack until someone named Eric Butler created the Firefox extension Firesheep. My research on Eric Butler tells me that he is actually a proponent of security and I think he did this to show sites like Facebook and Twitter that this is a big problem and need to make their sites more secure.
So how does Firesheep work? Once installed in Firefox, you can go into a coffee shop or someplace with open internet access via Wi-Fi and run the extension. This puts a list in a sidebar in your browser that shows all the people who are logged in to a secure site. You’ll see their profile pictures, actually, and will be able to identify them if they’re in the same room. You double click on their picture, Firesheep gives you their cookie, and logs you into their account without asking for a username or password.
There are a lot of sites that are vulnerable to session hijacks besides Twitter and Facebook. Flickr, FourSquare and other popular social media sites are also at risk. To put it simply, if the site URL begins with “http”, it’s vulnerable. Google has recently switched its Gmail service to “https” which stops Firesheep dead in its tracks and I suspect Facebook and company should follow suit as soon as possible.
Now, there are a couple of ways to protect yourself from session hijacking. A couple of blockers are currently available; Fireshepherd for Windows, and BlackSheep for Mac users. These tools trick Firesheep with fake cookies and detect when Firesheep attempts to hijack someone’s session. Venues offering free open Wi-Fi should turn on WPA2 encryption, which requires a password to access the network and will stop these attacks, but the proprietor would have to give out a password to each user, and quite frankly, if the hijacker is given the same password, the network is still at risk.
The best defence against session hijackers is to refrain from visiting any site that is not secure while in a public place. Behaviour is the best and easiest place to start protecting yourself online.
Greg McMillan 