Firesheep flames cookie capture risks
Add-on makes sidejacking simple
A developer has released a Firefox extension that illustrates just how vulnerable users of open wireless networks are when they log into websites that rely on cookies for authentication.
It is well understood that cookies sent over insecure connection can easily be captured and replayed to allow a mischief maker or hacker to log into the same website via a process called HTTP session hijacking (AKA sidejacking). A Firefox extension developed by Eric Butler dramatically illustrates this problem.
Surfers who install Firesheep can capture the credentials of anyone who happens to be using the same open network. The extension allows them, for example, to display the Facebook profile picture of a victim and the ability to then log in to a compromised account simply by double-clicking on the profile picture.
The open source extension was released on Mac OS X and Windows to coincide with a talk on the subject by Butler at the Toorcon 12 security conference.
Butler is releasing the utility in order to push more websites into using full end-to-end encryption, known on the web as HTTPS or SSL, for logins.
"It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else," Butler explains. "This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called 'sidejacking') is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website."
A blog post by Butler, containing screenshots of Firesheep in action, can be found here.
Until websites improve their security, a process that could take some time going by past experience, users would be well advised to use a secure VPN connection while surfing on an open WiFi network. ®
Er, the kettle should fix this. Even if you're not using cookies for authentication---
On My Todo List
>>unless some experts have checked it
Surely everyone posting here on El Reg is completely overqualified to do so and probably reads the complete source to everything they download. I will undertake this once I finish reading Dapper Drake and get it installed. Yeah, It's taken a few years to get thru, not much plot in the middle.
Woo, I just get to copy-paste my response to django-users!
CSRF protects you from a 3rd party web site maliciously enticing a user to initiate data changing requests to your site. It does nothing to protect a user from having their cookies jacked by a 3rd party user, and then stopping that user from maliciously using the credentials inferred from those cookies.
That this is even news is surprising - it's hardly a new attack vector. The only new thing about it is it being hooked up to a web browser and showing live feeds of what is happening, which has probably opened the eyes of people who didn't think about it before.
It's like saying 'Oh wow, you can see in plain text peoples emails on unsecured wifi networks' - well, durr, its a plain text protocol, and the whole 'unsecured nework' bit should probably give it away...
If you don't want this to happen, then force the use of SSL throughout your site, and don't hand out session cookies over HTTP.