PSA: Firesheep

If you use wireless in public location (like Starbucks), it’s possible that someone else can use a Firefox extension called Firesheep to “sidejack” your Amazon, Facebook, Twitter or Google account (among others). This allows them to do things in your name on those accounts, and perhaps even steal your password (under rare circumstances).

Though the vulnerabilities exploited by Firesheep have been around for a while, once an easy-to-use tool is released, it’s pretty common for jackasses to make heavy use of those tools for malicious purposes. The simplest cure is this tool from the good people at EFF. Here’s a more lengthy explanation of how Firesheep works and what it can do.






26 replies
  1. 1
    jwb says:

    Hadn’t heard about Firesheep, so thanks for the tip.

  2. 2
    adolphus says:

    Quick question I did not see addressed in linked article. Can this Firesheep hijack your account only if you also are using Firefox, or can it do this if you are using another web browser?

  3. 3
    jwb says:

    @adolphus: Not an expert here, but I think Firesheep sniffs all internet traffic for cookies it recognizes. I took that to mean it’s not browser specific.

  4. 4
    mistermix says:

    @adolphus: jwb is right.

  5. 5
    Xecky Gilchrist says:

    Thanks! Installed. I don’t use public networks often, but nice to know I can armor up a bit when I do.

    …for some reason, the thread title made me think this would be about FDL.

  6. 6
    soonergrunt says:

    Thanks for the link to the EFF tool. Here’s an idea–the profit-making enterprises involved, Amazon, Facebook, Twitter, Google, and others would spend a little capital on repairing/remediating their security holes.
    Since the internet is almost completely unregulated, however, there is no reason for them to spend the money to do this. It’s not their personal information being compromised after all.
    A great example of the major downsides to the Libertarian anti-regulation attitude.

  7. 7
    bemused says:

    Make sure your home wi-fi nets are configured to use WPA2 session encryption. It isn’t only “public” networks that put you at risk.

  8. 8
    MikeJ says:

    @adolphus: Firesheep is just a generic packet sniffer with an easy to use xul wrapper. A person using firesheep can sniff packets from any browser, any OS.

  9. 9
    uila says:

    I have long suspected that Starbucks customers were a bunch of packet sniffers. Where is the extension that lets me expose these deviants?

  10. 10
    Alwhite says:

    I have been working in IT security for about 20 years & there is nothing in firesheep that could not – and has not – been done before. The only difference is that it can now be done by someone with no technical knowledge. I demonstrated wireless hijacking for friends years ago & it is possible with encrypted wireless connections but it requires some knowledge & skill.

    We are “safe” for the same reason that most wildebeests are safe – too many of us in a pack & too few lions. If you do a lot of business on line get a VPN services.

  11. 11
    Knocienz says:

    @bemused: I knew someone who would leave an open wifi connection just to screw with people who tried to use it. Things like changing the resolution on all images so they’d think there monitor went bad or sending them to a fake CNN site they had set up showing an asteroid on course to hit New York.

  12. 12
    jman says:

    The extension waits for someone to log in to any of the 26 sites listed in Firesheep’s database.

    Wonder what 26 sites those are?

  13. 13
    Sentient Puddle says:

    Yeah, back when public networks were really starting to crop up places, I was scared straight by watching a friend grab a packet sniffer and seeing what kind of trouble he could get himself into (plenty).

    It baffles the hell out of me that we’ve seen an explosion of public unencrypted networks, and not a goddamned improvement in security of these things. It’s insane, and I can only hope that something like this will scare the pants off enough people that we can give more attention to security.

  14. 14
    sparky says:

    thanks for the useful post–i was not aware of the tor-EFF collaboration on this point. without regard to the browser/OS someone uses, people may also want to consider installing one of the personal VPNs that can provide more security in public. i’m not familiar with enough of them to make a recommendation.

  15. 15
    RareSanity says:

    For those that use public wifi pretty often, you probably owe it to yourself to by some type of VPN router for your home connection, or use a reputable VPN provider. If the VPN is configured to “route all traffic”, everything you are doing, even on an open wifi connection is encrypted.

    I forget what the computing power required to try and crack a suitable VPN connection, but, it is enough to require enough time and actual computers, that no one will try to crack yours to try an get something free off Amazon.

  16. 16
    monkeyboy says:

    @jman:

    Wonder what 26 sites those are?

    from here:

    Moreover, to give you a sense of Firesheep’s scope, the extension is built to identify cookies from Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, Yelp. And that’s just the default setting— anyone can write their own plugins, according to the post.

  17. 17
    bemused says:

    @Knocienz:
    Weird. I didn’t write that comment. I know nada about encryption.

  18. 18
    MikeJ says:

    @RareSanity:

    For those that use public wifi pretty often, you probably owe it to yourself to by some type of VPN router for your home connection, or use a reputable VPN provider.

    I run an ssh server my internet facing computer at home. Then when I’m on my laptop, either at a coffee shop or at a client’s office, all my traffic is encrypted and bounced off my machine at home. There’s no reason to believe you can trust our corporate overlords any more than you trust random people in a coffeehouse.

  19. 19
    Joe Buck says:

    At least in the case of Facebook, you can get an encrypted session (and keep safe from snoopers) by using https: instead of http:. If you just type “facebook.com” in the location bar you get http: by default.

  20. 20
    RareSanity says:

    @MikeJ:

    I run an ssh server my internet facing computer at home. Then when I’m on my laptop, either at a coffee shop or at a client’s office, all my traffic is encrypted and bounced off my machine at home. There’s no reason to believe you can trust our corporate overlords any more than you trust random people in a coffeehouse.

    I use an Endian firewall and openvpn…my comment was more directed toward simplicity of setup and maintenance for an “average” user. Any type of encryption would be better than none. Not only that, I would find random hackers at a coffee shop to be a far worse threat to my accounts than a big corporation. I am not rich enough, or dealing with sensitive enough information for any corporation to give a flip about what I’m doing.

  21. 21
    demimondian says:

    @soonergrunt: (Ob disc — I work for Google, and work closely with the security team.) For what it’s worth, Google has permitted you to use SSL for all communication with our servers since July of 2008. In GMail (or any other Google property, including apps), go to settings…general settings, and, under browser connection, select “always use https”, then click “save changes” at the bottom of the page. This is also supported for accounts serviced by Google over Google Apps for Your Domain.

  22. 22
    Tim in SF says:

    Hi! I’m the webmaster for EFF (and long time B-J lurker & occasional commenter).

    When you are in a public space, always, ALWAYS make sure any website with which you are exchanging sensitive info* has https, not just http in the address bar, on each and every page of that site while you are on it. You can often physically change it to make your session secure.

    We at EFF wrote this article that may shed light on some of the mechanics and risks involved, as well as fixes. In short, encourage every site you frequently use to employ an https version, if they can.

    (“sensitive info” can be though of as your login, password, or anything else you wouldn’t want written in a sticky and put on your laptop case for all to see)

  23. 23
    tom says:

    I use a vpn service called HotSpotVPN. It’s installation instructions are (or were – haven’t seen them lately) rather cryptic for the average user, but I’ve been happy with the service.

  24. 24
    demimondian says:

    @Tim in SF: For what it’s worth, many sites store stuff in their cookies that is more sensitive than many users realize. For instance, my cookie jar for “www.balloon-juice-com” contains a cookie called “comment_author_email_. That cookie is used to fill in the “Mail” field on my browser, and it points to a real account on a real server.

  25. 25
    moops says:

    @demimondian:

    comment_author_email_ and other private information in cookies really should be put through a hash function. It doesn’t have to be a fancy kind. heck, rot13 would stop most firesheep types, but a simple feature like that would help people out a lot.

  26. 26
    adolphus says:

    Thanks for answering my question above.

    I am not a computer professional and much of what you guys are talking about is way over my head. Does anyone have a link that explains this simply? The EFF link was helpful, but even it seemed to assume a certain level of knowledge.

    From what I can gather VPN software will help me with this problem. I have had a VPN client on my desktop since I returned to graduate school. My university has always required it to connect to various school services, especially, for my purposes, research databases and library services. I am scouring their website now and can find no literature on how this helps with security. Does it?

    No need to hold me hand on this, but if you know where I can get simple explanations to stupid questions, I would be grateful. Meanwhile I will continue to look through my university’s IT department websites.

Comments are closed.