Firesheep hijacks Firefox to hack information
By siliconindia   |   Wednesday, 27 October 2010, 15:35 IST   |    2 Comments
Printer Print Email Email
Bangalore: Eric Butler, a software developer from Seattle developed a new web application called "Firesheep", which has made hackers go on a hacking spree for personal information of people on social networking sites. The application which is an extension of firefox makes it dead simple to hack into someone's social networking and email accounts. The add-on essentially enables anyone on an insecure wireless network reports Mike Lennon of Security Week. Wireless networks at shopping malls or coffee shops are vulnerable for hackers. Firesheep which is a web application adds a sidebar to the existing firefox browser that will prompt them when anyone on an open network logins into insecure sites like Twitter or Facebook. Since researcher Eric Butler released Firesheep on Sunday, the add-on has been downloaded nearly 220,000 times. "As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed in the window. All you have to do is double click on their name and open sesame, you will be able to log into that user's site with their credentials," says Butler. This is how it works. It is very common for websites to protect the users password by encrypting the initial login but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy. Firesheep is currently able to hijack cookies from Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, Yelp. One of the ways that the user can protect themselves from such rogues is by avoiding public Wi-fi networks that are not encrypted and are available only with a password. However, Ian Gallagher, a senior security engineer with Security Innovation argued that "While open Wi-Fi is the prime proving ground for Firesheep, it's not the problem. This isn't vulnerability in Wi-Fi; it's the lack of security from the sites you're using." The other solution to this would be to use Virtual Private Network (VPN) when connecting to public Wi-Fi networks at an airport or coffee shop. Chet Wisniewski, a senior security adviser at antivirus vendor Sophos said "there are some VPN services that you can subscribe to for $5 to $10 month that will prevent someone running Firesheep from 'sidejacking' your sessions,"

siliconindia