Session Hijacking is nothing new and has been around for a long long time now. But the way in which Firesheep, a brand new Firefox extension makes use of the vulnerability of all unsecured HTTP sites like Twitter & Facebook in order to demonstrate session hijacking for n00bs is scary and as well as mind-blowing at the same time.
Firesheep is a Firefox extension by developer Eric Butler which exposes the soft underbelly of the web by letting you eavesdrop on any open Wi-Fi network and capture users’ cookies.
As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed” in the window. All you have to do is double click on their name and open sesame, you will be able to log into that user’s site with their credentials.
This is how it works. If a site is not secure, it keeps track of you through a cookie (more formally referenced as a session) which contains identifying information for that website. The tool effectively grabs these cookies and lets you pose as the user.
This particular vulnerability is accessible only on an open Wi-Fi network connection. So, you need not press the panic button unless you are using an open Wi-Fi. In case you are on one of those free open Wi-Fi networks on a train or a coffee shop, anyone can swiftly access some of your most private, personal information and correspondence at the click of a button. And you will have no idea.
Related Read: Difference between Hacking & Hijacking
The list of websites which are not secure and hence susceptible to this vulnerability include Foursquare, Gowalla, Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, Yelp.
At the time of writing this post, more than 3000 people have downloaded the plugin, which was released less than 2 hours back. Whoa!
We must note that the intention of Eric Butler (and ours too) is to expose the severe lack of security on the web. Looking at this, all those rants about Facebook Privacy (or the lack of it) and the likes seem minuscule.
Note: If you are of the geeky types, it is more than worthy to follow the conversation on Hacker news.
Update: TechCrunch suggests users to install Force-TLS addon for Firefox to circumvent this issue by forcing those sites to use the HTTPS protocol, therefore making user cookies invisible to Firesheep.