Many websites you use every day–like Facebook, Twitter, Google, Foursquare–have a big honking security problem that lets a determined snooper on your Wi-Fi hotspot log into your account as you. This week, security experts put pressure on these companies to close up this gaping hole by releasing tools that make it very easy for anyone to exploit them.
First, developer Eric Butler released Firesheep, a Firefox extension that makes it frighteningly simple for someone sitting across the coffee shop from you to log into your Facebook account.
Here’s how it works, in simplest terms: when you sign into a web application like Facebook, Twitter, or Flickr, your password gets transmitted over a secure connection that makes it impossible for someone listening on your Wi-Fi network to decrypt. However, to keep your session going, the site uses a browser cookie to identify you are as you browse the web site. In many major webapps, that cookie information is NOT encrypted, and that’s where Firesheep comes in. Firesheep listens for cookie information being sent in the clear over the local network, and uses it to make Facebook et al think that you have legitimately logged in as someone else.
Firesheep works with many major webapps; here’s what it looks like running in Firefox on a computer connected to an open Wi-Fi network, where others are logged into their Twitter, Flickr, Facebook, and Google accounts.
This session cookie exploit has been known for a long time now, but it used to be the domain of determined hackers with advanced tools most civilians would never know about. Firesheep is a one-click install for Firefox, and its graphical user interface is very easy to use. Butler created it not for evildoers to hack accounts, but to put pressure on companies to encrypt session cookies so that it can’t be done.
A follow-up tool, called Idiocy, hijacks your Twitter session using the same unencrypted cookie hijacking technique and auto-tweets “I browsed twitter insecurely on a public network and all I got was this lousy tweet”, with a link to a the Idiocy page, as shown above. The linked page explains what happened:
You just got your twitter session automatically hijacked by a piece of software, the intention is to warn you that your account can be modified without your permission. […] To prevent this occurring in the future, make sure you ALWAYS visit twitter securely. You can do this by going to https://twitter.com, rather than http://twitter.com. It’s the same as internet banking – look for the lock!
Idiocy is a bit more difficult to run than Firesheep, but its auto-tweet functionality gets the message across more effectively.
Ultimately Firesheep, Idiocy and its ilk are a call to companies like Facebook and Twitter demanding that they encrypt all cookies, like Google’s Gmail does. Until encrypted cookies become standard security practice–and hopefully the attention these tools brought to the issue will force these web companies’ hands–you can protect yourself.
First and foremost, avoid open Wi-Fi networks where it’s even possible for others on the network to sniff the traffic your computer’s sending and receiving to various sites. When you must hop onto open Wi-Fi, use an https connection for every site you possibly can. The Force TLS Firefox extension tells your browser to use https by default.
Reached for comment, a Facebook spokesperson tells Fast Company: “We have been making progress testing SSL access across Facebook and hope
to provide it as an option in the coming months. As always, we advise
people to use caution when sending or receiving information over
unsecured Wi-Fi networks. This tip and others can be found on the
Facebook Security Page.” The spokesperson added, “Be careful about the information you access or send from a public
wireless network. To be on the safe side, you may want to assume that
other people can access any information you see or send over a public
wireless network. Unless you can verify that a hot spot has effective
security measures in place, it may be best to avoid sending or receiving
sensitive information over that network.”
The FTC’s OnGuardOnline site also offers a warning.
Twitter promised Fast Company a response later today. Other services did not respond to requests for comment in time for this post. When they do, we’ll update it.
While there will most certainly be collateral damage due to the release of Firesheep and Idiocy, if the long-term effect is that all web companies use SSL for cookies, it will be worth it. Now, webapp makers, go forth and secure your cookies!