Skip to main content

Firefox Add-On Can Hijack Facebook, Twitter

Monday at the ToorCon 12 security conference, Seattle-based freelance software developer Eric Butler announced the release of Firesheep, a Firefox plug-in that allows a user to scan a Wi-Fi network and hijack another user's access to Twitter, Facebook and many other websites.

According to Butler, the plug-in was created to show how popular websites still leave users exposed despite their "privacy" feature upgrades.

"It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else," he said. "This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy."

Butler suggested that it was pointless to roll out new privacy features when someone can take over the account by accessing cookies. He said that the only real way to resolve the issue is for Facebook and other sites to offer full end-to-end encryption via HTTPS or SSL. "When it comes to user privacy, SSL is the elephant in the room," he added.

Firesheep appears frighteningly simple. After the initial installation, users will see a new sidebar in the Firefox browser located to the left. This area provides a "Start Capturing" button they can press after connecting to an open network. Once another unsuspecting network user accesses a known insecure website, the plug-in will display their name and photo under the button. The Firesheep user can then click on the name and log onto their account.

Currently Firesheep can be downloaded here for Windows and OS X, however Windows users will need to install WinPcap first.

Tuesday Butler said that Firesheep had become the #10 trending search on Google in the U.S. The plug-in has also been downloaded 129,000 over the past twenty-four hours and has become one of the “Top Tweets” on Twitter. "I’ve received a ton of great messages from people who are happy that this issue has finally received widespread attention, so after day one I’m happy with the result," he said.