Easily compromise unencrypted sessions on any WiFi hotspot

Firesheep allows you to easily capture Facebook and other unencrypted sessions on public hotspots.

Screenshot: Codebutler

This week, Seattle-based developer Eric Butler made available for download a pre-release version of a provocative add-on for Mozilla’s Firefox web browser. He calls it Firesheep, and it allows its user to easily hijack unencrypted sessions of any users who are on the same network segment. All users on public WiFi hotspots (such as at Starbucks) are vulnerable, any time they are using unencrypted transport protocols such as http. Mr. Butler has posted a well-written explanation of what Firesheep does.

Firesheep uses session hijacking.

This means that I would be vulnerable when using Hotmail or Yahoo Mail: they encrypt the username/password dialog (using https), but then use http for reading the mailbox. Acck! Gmail uses https (hyper text transport protocol secure) for the entire session, so Gmail users will remain secure from Firesheep session hijacking.

Use caution on public WiFi hotspots.

The Firesheep add-on shows you a list of all nearby users who are using your hotspot, and who is using sites such as Facebook, MySpace, and Twitter. Double-click on a name and you’ll see information about each user, including his/her picture for social networking sites. You are, together with the target user, logged in to the target’s Facebook/MySpace/etc session — you have hijacked that user’s session.

This works because many sites use https first, then switch to http, and give you an unencrypted cookie to identify you. Firesheep intercepts this cookie, saves a copy, and uses it to masquerade as the target user.

Watch a video summary and a good video demo and discussion. View Mr. Butler’s slideshow (Press Page Down to view next slide.) that accompanied his presentation.

This will force responsible website owners who handle personal information to encrypt everything, including cookies, throughout a session, from end to end. In that respect, this is a good thing. Until then, don’t use public WiFi hotspots for anything personal unless you use them to transport encrypted packets over your company’s VPN. Also, the same vulnerability exists for your iPhone and other smartphones that use WiFi signals. Now that the cat is out of the bag, I’m sure that Hotmail, Facebook, Dropbox, et al will quickly respond by encrypting everything.


Near-term defenses: As a less than perfect defense against session hijacking, if you use the Mozilla Firefox web browser, you can use the Force-TLS add-on to force websites (if they are https capable) to use https . . . but this will work only if each website you visit supports https. (Most, including mine, don’t.) A defensive tool with promise is another Firefox add-on named HTTPS Everywhere, by the Electronic Freedom Foundation. Like Force-TLS, it will work only if the websites that you visit support https.

Visit my website: http://russbellew.com

© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s