Firesheep brings session hijacking to the masses

A years-old vulnerability has been brought into the limelight by an open source FireFox extension which makes it extremely easy to hijack sessions belonging to other Web users on shared networks.

Eric Butler's Firesheep tool makes it remarkably simple for novices to hijack sessions on several social networking sites. Firesheep monitors network traffic and detects when someone visits a website which transmits unencrypted session cookies. The victim's name and photo is displayed by the tool, and double-clicking on that person instantly logs you in as them.

Even though these session hijacking vulnerabilities have been possible for many years, the sheer user friendliness of this new tool is causing a storm of comments on Twitter. No specialist hacking knowledge is required to use the tool – all you need is to be on the same network as your victim. Sending unencrypted data over open WiFi networks has always posed a security risk, and the release of this new tool greatly increases the likelihood of exploitation.

Online banking services typically employ HTTPS throughout an entire session, keeping the session cookies encrypted and thus hidden from eavesdroppers. Due to the computational overheads of providing HTTPS connections, many other websites reserve this secure protocol only for transmitting login credentials, after which the user would continue to use the website over an unencrypted HTTP connection. This is the weakness which allows Firesheep to work, as it makes the session cookies vulnerable to eavesdropping. This type of vulnerability is commonly discovered during Netcraft's security tests, and Butler's new extension greatly simplifies the process of exploiting it on a range of popular sites.

In recent years, the computational overheads of HTTPS have become less significant due to the continual improvements in computer hardware, so more and more sites are beginning to adopt HTTPS for the entire lifetime of a user session. For instance, Google introduced an "always use HTTPS" option on their widely used Gmail service in 2008, before eventually making this the default setting at the start of 2010.

Butler announced Firesheep at the 12th ToorCon conference. The extension already allows session hijacking vulnerabilities to be exploited against 26 different sites, including Facebook, Flickr, Twitter and WordPress. Additional sites can be monitored simply by adding a new script to its existing list of handlers.