Want to hack someone else’s Amazon, Facebook, Twitter or Windows Live account in just one click? A Firefox extension called Firesheep claims you can by hijacking a person’s current user session over an open Wi-Fi connection.
I tested the extension out and to my horror it works as advertized – almost that is.
Firesheep targets 26 online services, and includes many popular online services such as Amazon, Facebook, Foursquare, Google, The New York Times, Twitter, Windows Live, WordPress and Yahoo. The extension is also customizable allowing a hacker to target other Websites not listed by Firesheep.
While Firesheep sounds scary (and once again highlights the security concerns of using open Wi-Fi) the new Firefox extension is not as frightening as it sounds.
How Firesheep works
Firesheep is basically a packet sniffer that can analyze all the unencrypted Web traffic on an open Wi-Fi connection between a Wi-Fi router and the personal computers on the same network. The extension waits for someone to log in to any of the 26 sites listed in Firesheep’s database. When you log in to Amazon, for example, your browser’s Amazon-specific cookie communicates with the site and contains personally identifying information such as your user name and an Amazon session number ID.
As your browser swaps cookie information back and forth with the Website a third party can hijack that communication and capture info including your user name and session ID. Typically, the cookie will not contain your password. But even without your password, the fact that Firesheep has snagged your session cookie means that a hacker can, at least in theory, access your account and gain virtually unrestricted access. If the hacker got your Yahoo Mail cookie they could send an e-mail, if it was Facebook they may be able to post a message and so on. Any operations that require your password, however, such as accessing your credit card information on Amazon should not be possible using Firesheep.
Firesheep put to the test
Since I wasn’t close to a public Wi-Fi hotspot today, I tested Firesheep on my own home network using Firefox 3.6 for Mac OS X. The problem is I use WPA2 encryption at home, a Wi-Fi security standard that encrypts all user traffic going between your PC and the router. So the only way I could test Firesheep was on my own machine, which I did by browsing on both Firefox and Chrome.
To get started I installed Firesheep on Firefox, and then opened it up by clicking on View>Sidebars>Firesheep. I then saw a blank sidebar with a button at the top that said “Start Capturing.” Once I clicked the button to start snooping, the extension asked for my computer’s master password so that the extension could access and make changes to my machine. Needless to say, this is not something I would recommend you try on your own computer.
After the sidebar was working it started grabbing user IDs as promised for sites I logged in to including Amazon, Facebook, Google and The New York Times. Firesheep was able to grab my user name and profile photo (when available) and then display each account in the sidebar.
Theoretically, if I had tested this system over an unencrypted Wi-Fi network at a cafe, I should have been able to simply click on any of the accounts I saw in the Firesheep sidebar and then gain almost unrestricted access to the account. But in my tests that’s not what happened.
Firesheep gets corralled
After the sniffing was done, I was supposed to be able to click on each user ID listed in my sidebar and then see my online accounts. Obviously, I was able to do this when using an account I’d logged in to using Firefox since the browser contained my actual session IDs as well as the stolen cookies sitting in Firesheep. But when I tried to gain access to my New York Times account that I’d logged in to using Chrome, Firesheep couldn’t give me access to my account in Firefox. This was despite the fact that my user name and profile picture appeared in Firesheep.
It’s also important to note that once I logged out of any of the online services I tested, I could not use Firesheep’s stolen cookie to log back in.
Now, as I said, my tests were not perfect since I was using Firesheep on one machine, and my home network is very secure already. So my test may have gone differently if I had tested Firesheep on an unsuspecting user over an open, unencrypted Wi-Fi network at a cafe or bar.
Firesheep Sidejacking limits
There’s no question that Firesheep highlights an important Web browsing security flaw that could expose your account to a malicious hacker. But it’s also important to keep in mind that sidejacking has its limits. Using Firesheep is not likely to expose your user password. So a hacker may be able to use Firesheep to take action on your behalf such as send an e-mail, post a status update, or send out a tweet. But it’s unlikely that Firesheep could be used to steal your account by switching your password on you. Unless, of course, you are using a service that lets you change your password without entering the current one–a rare occurrence these days.
Nevertheless, Firesheep, and sidejacking in general, is still a serious security threat if you happen to be using open or unprotected Wi-Fi. Here are a few basic things you can do to protect yourself when using public Wi-Fi.
Use A VPN
Try using a Virtual Private Network client such as the free version of HotSpot Shield. This piece of software basically creates a secure tunnel for your data that runs between the Wi-Fi router and your computer. This means Firesheep will not be able to steal any data passing between your computer and the router since all communications will be encrypted.
If you’re a Firefox user you can also use extensions such as HTTPS Everywhere built by the Electronic Frontier Foundation. This extension forces certain Websites to use a secure SSL connection for your entire browsing session instead of just the login. The problem with HTTPS Everywhere is it only works on a limited number of sites that support full SSL encrypted browsing. Often a site uses SSL encryption for your log in, but reverts you back to the non-encrypted HTTP standard after you’ve logged in. Check out the EFF’s HTTPS Everywhere page for more information.
Use Strict Transport Security (STS)
Strict Transport Security (STS) is a relatively new security feature that is starting to appear in some browsers. STS automatically forces your browser to make a secure connection with every Web page that supports SSL encryption. Once you start using STS, you will not be able to use an insecure connection ever again when connecting to a specific site such as Facebook or Amazon. Chrome has supported STS since Chrome 4, and Firefox 4 will include STS when the official version launches in the coming months. Be aware that STS is still relatively new, and may not be available for all browsers.
Finally, if you don’t have a password on your router at home, make sure you set one up. If your router supports WPA2 then use that security standard instead of the more widely used and less secure standard known as WEP.
Firesheep may make it easier than ever for someone to snoop on other people over open, unencrypted Wi-Fi, but keep in mind that sidejacking is an old trick that’s been around since at least 2007. To stay safe just make sure that over an open Wi-Fi connection you are using a secure connection with a VPN or HTTPS (SSL). When at home use the WPA2 standard if your router supports it, or at the very least secure your router with a WEP password. Also, don’t forget that you should never use an open Wi-Fi connection for highly sensitive online activities such as accessing your bank or credit card accounts.
Connect with Ian ( @ianpaul ) on Twitter.