Purchasing new hardware? Read our latest product comparisons

Firesheep session hijacking tool makes public Wi-Fi useless


October 25, 2010

The Firesheep add-on for Firefox

The Firesheep add-on for Firefox

Image Gallery (3 images)

At the Toorcon 12 hacker conference in San Diego on Sunday, Seattle programmer Eric Butler introduced his Firesheep add-on for the Firefox Web browser in an effort to bring attention to the weakness of open Wi-Fi networks. In a practice known as HTTP session hijacking (or “sidejacking”) the add-on intercepts browser cookies used by many sites, including Facebook and Twitter, to identify users and allows anyone running the program to log in as the legitimate user and do anything that user can do on a particular website.

In a post on his site Butler describes how Firesheep works. Once installed, Firesheep displays a sidebar with a “Start Capturing” button. All the user needs to do is connect to an open Wi-Fi network, click the button and as soon as anyone on the network visits an insecure site known to Firesheep, the program captures the cookie that contains their log in details and their name and photo will be displayed in the sidebar. Double click on the displayed user and you’ll be logged in as them and able to wreak all kinds of havoc.

Butler highlights Facebook and Twitter as two of the more popular sites that are vulnerable to sidejacking using Firesheep but the program can also capture cookies from Foursquare, Gowalla, Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, WordPress, Yahoo and Yelp. Additionally, users can write their own plugins to access other unsecured HTTP sites.

Butler says the only effective way to combat the vulnerability Firesheep takes advantage of is for the sites to use full end-to-end encryption, known as HTTPS or SSL but many sites default to the HTTP protocol because it’s quicker. A TechCruch reader claims to have found a workaround using the existing Force-TLS Firefox extension that forces sites to use the HTTPS protocol, thereby making a user’s cookies invisible to Firesheep. But with most people unlikely to be security conscious enough to install it’s hardly a complete solution.

Butler has released Firesheep as open source and it can be downloaded from his site for both Mac OS X and Windows, with a Linux version on the way.

Via TechCrunch

About the Author
Darren Quick Darren's love of technology started in primary school with a Nintendo Game & Watch Donkey Kong (still functioning) and a Commodore VIC 20 computer (not still functioning). In high school he upgraded to a 286 PC, and he's been following Moore's law ever since. This love of technology continued through a number of university courses and crappy jobs until 2008, when his interests found a home at Gizmag. All articles by Darren Quick

Since Gizmag doesn\'t use https to secure logins, I suppose it\'s only a matter of time before a Firesheep user writes an open source plug in for it as well...

Lawrence Lagarde

I wonder, does this work across different browsers (IE, Opera, Chrome, etc)? Or is it just limited to Firefox users?

Andrew Christianson

Open public wifi isn\'t rendered \'useless\'... it renders users vulnerable if they choose to login to anything (that uses \'cookies\'). If you just surf the web and don\'t \'login\' to anything... there\'s no login data to capture. When you go public... don\'t sign in to anything else, don\'t sign in to websites that require a login; when you go public, just surf the free public web (no logins)... and don\'t enter any personal info. Read the news, sports, etc. at news.google.com or browse anywhere else without a login. That\'s not \'useless\'.


Am I logged in? Or is it someone on Firesheep? Crap this sucks.

Fabian Rousset

Properly coded web sites use the SECURE modifier for https cookies (thus - those cookies never travel over unencrypted links), so no burning mutton is going to \"do anything that user can do\" for them at least.

It\'s an easy fix for Twitter etc to solve - so good on those heated lambs for rubbing their collective facebooks in their own insecurity :-)


..oops, just logged into Gizmag using my Facebook account. Dang! Fortunately, I\'m not using \"wireless\". :)

@RpD: who doesn\'t travel with a wi-fi laptop and NOT log into important personal sites...? that would be about as close to \'useless\' as I can imagine.

Time to go HTTPS on everything possible...

Matt Rings

Well, anyone who leaves their own personal Wifi open to the public is just asking for trouble although chances of having trouble are fairly slim. The thing I wonder about this article is, if Eric Butler\'s true intentions are to just bring awareness to the problem, why post the code on how to do it to his website as \"open source\"? Sounds more like a pride thing to me.

Will, the tink
Post a Comment

Login with your Gizmag account:

Related Articles
Looking for something? Search our articles