Firesheep Makes HTTP Session Hijacking Simple

Firesheep makes anyone uncomfortable using free unencrypted wireless network.


Who would have thought that a single Firefox extension can get massive attention from security analysts, media and even the public? Firesheep makes anyone uncomfortable using free unencrypted wireless network because Firesheep capture and exploit HTTP session cookies in an unsecure wireless connection. Anyone who installed the extension could easily hack someone else’s Facebook and Twitter account, and possibly every login that relies on cookies.

I was impressed when this extension was released for Firefox. If you are using OSX you don’t even have to download any pre-requisite software. In Windows, you have to install some packet capture software first. After installing the extension, roam around, use any free and unencrypted wifi, and you can hack already. It’s that simple. Anyone could be a hacker these days.

HTTP session hijacking is a serious security flaw. Something that you shouldn\’t ignore. It was discussed in the blog of Firesheep’s developer, Eric Butler:

HTTP Session hijacking, as a vulnerability, is nothing new in the year 2010. It is a security vulnerability that people have been aware of for quite some time, with notable tools and papers existing at least since 2004 on this exact subject. OWASP (The Open Web Application Security Project) categorizes the issues responsible for HTTP Session Hijacking in to one of it’s Top 10 Web Security Risks, “A3: Broken Authentication and Session Management”.

There are several ways to protect yourself from the exploit. The most obvious is you should never use unencrypted wireless access. Use WPA or stronger encryption, if available, in your wireless network. You can also use browser extensions to force secure HTTP or HTTPS on supported websites like HTTPS Everywhere. Other methods involves using SSH (Secure Shell) and VPN. You read how to do it here and here.

The release of Firesheep creates more awareness in the danger of HTTP session hijacking and the peril of using unsecured wireless connection.

So the next time you stop by your favorite coffee shop, I dare you to use the free unsecured wifi. I might be just around the corner stealing your cookies. Nomnomnom.

Credit: image taken from Taltopia.

By Marck V.

Filipino IT consultant on enterprise software. On his spare time he do web project management, photography and blogging. Web 2.0 enthusiast.