How anyone can 'point-and-click' to hijack your online accounts
Ben Grubb
November 1, 2010 - 3:57PM
[attach]33101[/attach]
The Firesheep add-on in action. Photo: Codebutler.com
Logging in to your Facebook or online email accounts from an unsecured public Wi-Fi network? Think again, as a new add-on for the web browser Firefox allows even the most amateur hackers to hijack your account.
The Firesheep add-on allows anyone to easily break in to Facebook, Twitter and legions of other online accounts of individuals when they log in from unsecured public Wi-Fi found at places such as McDonald's, hotels and cafes.
For example, as a victim is logging in to their Facebook or Twitter account from any web browser, the attacker, using the Firefox add-on, can sniff out their credentials, allowing the attacker to hijack the victim's account without having any physical access to their computer.
Advertisement: Story continues below
Using the add-on, the attacker can then access the victim's account using the unsecured Wi-Fi just by clicking on the account.
The attacker is then able to pretend to be the victim by taking over their account.
Depending on the type of account, they are able to send emails or Facebook messages to those the victim is in touch with - and view all of the victim's existing messages.
Without special software that encrypts internet traffic it is impossible to avoid these types of attacks.
In the first couple of days of being available the Firesheep add-on was downloaded more than 129,000 times, said its developer, Eric Butler, a freelance web application and software developer based in Seattle.
Firesheep is not an official Firefox add-on. The reason it was released, Butler said, was to demonstrate how many sites were not using proper security practices.
"Websites have a responsibility to protect the people who depend on their services," he said on his blog.
"They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web."
Chris Gatford, a security consultant at Hacklabs, said the tool was embarrassing large websites, such as Facebook and Twitter, into moving them to secure their online applications.
"A lot of these web services should be moving to fix these vulnerabilities in light of this," he said.
Gatford said the flaw that the add-on was taking advantage of had "been around for a long time" and that there had been "several tools" that had the ability to do the same thing in the past.
But he said that the Firesheep add-on had made it "much easier" for anyone – not just security professionals or savvy computer users – to hijack people's Facebook, Twitter and various other online accounts being accessed from unsecured Wi-Fi.
"The great thing about Firesheep from a security professional's perspective is that it makes what we call stealing session cookies much easier to do and makes it much easier – and much easier for other people – to point out vulnerabilities in applications that they're using, such as Facebook and Twitter and various other clients," he said.
The tool works by looking at web traffic available on open Wi-Fi access points, Gatford said.
Many websites don't use what is known as HTTP over SSL (HTTPS) by default. It is the lack of HTTPS not being used consistently throughout the online application that is causing a users' credentials to leak, he said.
"Unfortunately when you're not using HTTPS you are exposing these credentials and this is what Firesheep does; it picks up some of these credentials flying around the airwaves, in this particular case the open Wi-Fi access point you are connected to, and alows the attacker point-and-click access to other people's accounts," he said.
Gatford said a lot of web applications were designed to use HTTP instead of HTTPS for "speed and performance" and that this may be one of the many reason why websites that require a log-in weren't using HTTPS.
In a statement to tech blog TechCrunch, Facebook said it was "making progress testing SSL access across Facebook" and said that it hoped to "provide it as an option in the coming months".
Since being available to download, a number of tools have been released to counter Firesheep's ability to hijack people's credentials. One tool, named FireShepherd, works by flooding a network with certain traffic that stops Firesheep's ability to work.
http://www.smh.com.au/technology ... 20101101-179rg.html
[
Last edited by atomic3d at 1-11-2010 14:09 ]