Firesheep

There’s a lot of buzz about Firesheep, heck it even made The Mercury. So high time I covered it.

Basically this is a consumer hacking tool that anyone can use. One click and it lets you into someone else’s Facebook page! You start it up, it shows you a list of all the Facebook users near you (even has their photos) and you click on anyone to hijack them - easy.

The technique is not new. What is new is that it is a simple plug-in for Firefox and anyone who can click a mouse can use it with no special skill or knowledge.

What Firesheep does is to intercept the non-secure cookies that Facebook (and Twitter, Amazon, Google, Yahoo, Myspace, Flickr and many more) use and then hijack the session. This lets you into the web site logged in as the other person. Its as if they walked away from their computer without locking it and you sat down. Anything they are logged into, you are in too!

Now, it doesn’t tell you their password, so you can’t go changing it to lock the victim out. But you can change their privacy settings, post embarrassing photos, articles and the likes. Or just snoop.

And remember this isn’t just Facebook, it is a lot of web sites.

What’s the catch? You do need to be on the same network and on a hub not a switch. But any open (or WEP) wifi meets this criteria. Many home networks have hubs and some older business networks. The IT people may even have installed a hub just to monitor network traffic.

What’s not vulnerable? Switched networks and WPA encrypted networks. These isolate each user’s traffic by design so the non-encoded cookies don’t pass by every user like they do on a hub network.

Bottom line, if you are on open wifi at a coffee shop, airport etc, you CAN be snooped on very easily. It is not just hackers anymore, the general public can do this too. If you have wifi in your home or business, you absolutely need to read up on wifi security and understand the basics. You've been given a chainsaw and it is vital you read the instruction manual before attempting to use it or you might get hurt.

Why is it a Firefox plug-in? No, its not a security flaw in Firefox that is being exploited here, its really bad design in web sites like Facebook. They are the ones sending your confidential data around with no encryption. Firefox provides a cross platform (Mac, Windows, Linux, Android) way of distributing this hacking tool. It could have been written in Java or any other language, the author just wrote it in Firefox. Like I said upfront, this is nothing new. Just re-packaged for the masses to use.

Expect chaos.

Since writing this, Facebook now allows you to keep your connection secure (https://facebook.com) but I notice that some FB apps and web pages switch you back to non-secure. FB hasn't quite got it right. You should select "Browse Facebook on a secure connection" under my account, settings, account security.