At the Toorcon 12 hacker conference in San Diego on Sunday, Seattle programmer Eric Butler introduced his Firesheep add-on for the Firefox Web browser in an effort to bring attention to the weakness of open Wi-Fi networks. In a practice known as HTTP session hijacking (or “sidejacking”) the add-on intercepts browser cookies used by many sites, including Facebook and Twitter, to identify users and allows anyone running the program to log in as the legitimate user and do anything that user can do on a particular website.
In a post on his site Butler describes how Firesheep works. Once installed, Firesheep displays a sidebar with a “Start Capturing” button. All the user needs to do is connect to an open Wi-Fi network, click the button and as soon as anyone on the network visits an insecure site known to Firesheep, the program captures the cookie that contains their log in details and their name and photo will be displayed in the sidebar. Double click on the displayed user and you’ll be logged in as them and able to wreak all kinds of havoc.
Butler highlights Facebook and Twitter as two of the more popular sites that are vulnerable to sidejacking using Firesheep but the program can also capture cookies from Foursquare, Gowalla, Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, WordPress, Yahoo and Yelp. Additionally, users can write their own plugins to access other unsecured HTTP sites.
Butler says the only effective way to combat the vulnerability Firesheep takes advantage of is for the sites to use full end-to-end encryption, known as HTTPS or SSL but many sites default to the HTTP protocol because it’s quicker. A TechCruch reader claims to have found a workaround using the existing Force-TLS Firefox extension that forces sites to use the HTTPS protocol, thereby making a user’s cookies invisible to Firesheep. But with most people unlikely to be security conscious enough to install it’s hardly a complete solution.
Butler has released Firesheep as open source and it can be downloaded from his site for both Mac OS X and Windows, with a Linux version on the way.