A novel Firefox plus lets "pretty much anyone" scan a Wi-Fi network together with hijack others' access to Facebook, Twitter together with a host of other services, a safety researcher warned today.
The add-on, dubbed "Firesheep," was released Dominicus past times Eric Butler, a Seattle-based freelance Web application developer, at the ToorCon safety conference, which took house Oct. 22-24 inward San Diego.Butler said he created Firesheep to present the danger of accessing unencrypted Web sites from populace Wi-Fi spots.
Although it's mutual for sites to encrypt user log-ons amongst HTTPS or SSL, few encrypt the actual traffic. "This leaves the cookie, together with the user, vulnerable," said Butler inward a post to his personal blog. "On an opened upward wireless network, cookies are basically shouted through the air, making these attacks extremely easy."
With a user's cookie inward hand, a criminal tin practice anything the user tin practice on a site, Butler noted. Among the sites that Firesheep tin hijack are Facebook, Twitter, Flickr, bit.ly, Google together with Amazon.
Butler did non reply to an interview asking Monday.
"None of this is new, the flaw for certain isn't," said Richard Wang, the United States of America director of SophosLabs, the inquiry arm of Abingdon, England-based safety companionship Sophos. "But Firesheep makes it then slow to honour [unencrypted traffic together with cookies] that pretty much anyone tin role it to heed to what others are doing at populace hot spots."
Firesheep adds a sidebar to Mozilla's Firefox browser that shows when anyone on an opened upward network -- such equally a java shop's Wi-Fi network -- visits an insecure site. "Double-click on someone [in the sidebar] together with you're straightaway logged on equally them," said Butler inward his brusk description of his add-on.
The plus appears to endure irresistible: Since Butler posted Firesheep on Dominicus it's been downloaded near 50,000 times.
Butler created Firesheep to illustrate the wide-ranging work of unencrypted sites together with populace networks. "Web sites bring a responsibleness to protect the people who depend on their services," he said. "They've been ignoring this responsibleness for likewise long, together with it's fourth dimension for everyone to need a to a greater extent than secure Web. My promise is that Firesheep volition aid the users win."
Wang said he was hopeful that the plus would prompt to a greater extent than sites to encrypt their sessions. "The promise hither is of increased role of HTTPS," he said. But he also urged to a greater extent than populace networks to secure users, although he acknowledged the logistics -- handing out the passwords that users would postulate inward social club to connect -- would endure daunting. "It's the former 'security-vs.-convenience' argument," he noted.
Users tin protect themselves, said Wang, past times refusing to access insecure sites spell at opened upward networks.
He added that people who are to a greater extent than technically inclined could rely on a secure proxy server, peradventure 1 run on their run machine, which their laptops would inward plough access. "But that's non a solution for the average user," Wang admitted.
Firesheep, which plant amongst the Windows together with Mac OS X versions of Firefox,
tin endure downloaded costless of charge at the GitHub site.
Butler is working on Firesheep for the Linux edition of Firefox.
Share This :
comment 0 Comments
more_vert