Its now as easy as that with a a Firefox extension called Firesheep which can hijack a person’s current user-session over an open Wi-Fi connection.
Firesheep is a work of Eric Butler who made the proof oc concept public after after presenting at a Security event. The purpose of the experiment was to showcase the security risks associated with session hijacking, aka sidejacking.
So what all can be hacked with Firesheep? Nearly 26 online services, which includes all popular online services: Amazon, Facebook, Foursquare, Google, The New York Times, Twitter, Windows Live, WordPress and Yahoo.
The extension is so flexible that it can be customized to allow a hacker to target other Websites not listed by Firesheep.
While Firesheep sounds scary, its not as scary as it may sound first. Even though the extension is downlaoded more than 100,000 times, there’s nothing to be scared of.
How Firesheep works
Firesheep is basically a packet sniffer that can analyze all the unencrypted Web traffic on an open Wi-Fi connection between a Wi-Fi router and the personal computers on the same network. The extension polls around network for someone to log in, when someone does, browser’s site-specific cookie communicates with the site and contains personally identifying information such as your user name and an site specific session ID.
As victim’s browser swaps cookie information back and forth with the Website, our packet sniffer can capture this information and hijack the session. Coz cookies has no password information and it has session timeout, it does eventually. But on a serious ote, even temporary access to the account can bring havocs.
How to use Firesheep
Install WinPcap on windows (Mac Os doesn’t need this) and get the Firesheep extension and then open it up by clicking on View>Sidebars>Firesheep. Click the button that says “Start Capturing.”
Once you click the button, it starts snooping. Then onwards all sessions that are captured are automatically displayed
How to Bypass Firesheep Hijacks?
- If you feel your account has been compromised, immidiately logout. As soon as you do that, hijacked cookie becomes invalid, and no longer can be mis-used.
- Use A VPN: Try using a Virtual Private Network client such as the free version of HotSpot Shield. This piece of software basically creates a secure tunnel for your data that runs between the Wi-Fi router and your computer.
- USe HTTPS Everywhere: If you’re a Firefox user you can also use extensions such as HTTPS Everywhere built by the Electronic Frontier Foundation. This extension forces certain Websites to use a secure SSL connection for your entire browsing session instead of just the login.
- Use Strict Transport Security (STS): Strict Transport Security (STS) is a relatively new security feature that is starting to appear in some browsers. STS automatically forces your browser to make a secure connection with every Web page that supports SSL encryption. Once you start using STS, you will not be able to use an insecure connection ever again when connecting to a specific site such as Facebook or Amazon. Chrome has supported STS since Chrome 4, and Firefox 4 will include STS when the official version launches in the coming months.
- Encrypt your home/office network: Use the strongest possible encryption on your Home and office Wifi connections. WPA2 is much better than WEP.