Firesheep Exposes the Soft Underbelly of Website Security
The new Firefox plug-in Firesheep is a tool that a public WiFi hotspot user can implement to snoop on the activities of other users of that hotspot. Mozilla says the flaw Firesheep exploits is not found in Firefox per se, but rather in the lax security standards to which many popular websites adhere. Firesheep will make it easier for malicious hackers to do their dirty work, but it also may motivate improvements.
10/26/10 11:17 AM PT
Freelance software developer Eric Butler has released Firesheep, a plug-in to the Firefox Web browser that lets anyone capture cookies from an open WiFi network and possibly steal their owners' identities.
Firesheep is free and open source program available for the Mac OS X and Windows platforms. Butler is working on a Linux version.
Butler wrote that he released Firesheep to draw attention to the longstanding poor state of website security.
Encrypting logins, as many websites do, is not enough, because once the site sets a session cookie, it reverts to regular, unencrypted HTTP for the rest of the session, exposing the user to interception.
Butler did not respond to requests for comment by press time.
The Firesheep Website Security Bleatdown
Basically, Firesheep installs a packet sniffer with some logic behind it to identify cookies for specific websites in the traffic, Randy Abrams, director of technical education at ESET, told TechNewsWorld. It then automates the capture and use of the cookies.
Once a user has installed Firesheep, a new sidebar will pop up on the Firefox browser. The user then connects to any busy, open WiFi network -- such as public WiFi hotspots, including those at cafes -- and clicks the "Start Capturing" button on the sidebar.
Firesheep will display information about others on the network who are using an insecure website known to Firesheep, Butler wrote. In certain cases, users' names will be shown -- double-clicking on a name lets a Firesheep user instantly log in as that person.
"When you're on a WiFi hotspot everybody's going out to the same IP address, so you just sniff the traffic, see these cookies and read them," Beth Jones, a senior threat researcher at Sophos Labs, told TechNewsWorld. "Firesheep takes things a little bit further and grabs whatever it can read and displays that," she added.
"Starbucks just became a more dangerous place," ESET's Abrams said. "This tool will be used extensively in places such as coffee shops and airports."
Not all sites are equally vulnerable.
"Gmail keeps everything encrypted; you can keep a session secure from the time you log in to the time you're finished, so even if someone else can see it they can't do anything with it," Sophos Labs' Jones pointed out. "That's what other sites should be doing, but many people figure once your login's secure you don't care about anything else. That's not necessarily the case."
Social media sites are the most prominent destinations vulnerable to cookie hijacking, and one reason why they don't implement more security is that privacy is not necessarily part of the social media business model, Jones said.
Butler's No Goat
"I don't think Butler did anything wrong," Dave Marcus, director of security research at McAfee Labs, told TechNewsWorld. "Over the past three years there have been tools that do exactly what Firesheep does, and Firesheep only makes things easier. It's not anything people haven't been talking about since 2002," he explained.
"We can't necessarily agree with Butler's efforts, but I understand he may very well have tried to go through the proper channels and shown people the vulnerability, and they hadn't responded to it, so finally he upped the ante," Sophos Labs' Jones said.
"That's possibly what he's doing but then again, do you really want to do something that makes things easier for the black hats?" Jones asked. Malicious hackers are known as "black hats" in the security industry; good hackers, who find security flaws and try to fix them, are known as "white hats."
On the other hand, perhaps Butler's action may be the wake-up call website owners have needed for awhile.
"I find Firesheep to be a very useful teaching tool," McAfee Labs' Marcus remarked.
"If you really want to change someone's understanding of why they'd want to implement full secure sessions, install something like this on your browser and show them how easy it is to capture people's identities," he added.
"It seems that this is the only way to call significant attention to the problem," ESET's Abrams said. "This may force some action. The add-on is useless if the site operators do their job correctly, which is rare."
The only effective fix for this problem, according to Butler, is full end-to-end encryption using HTTPS or SSL (secure socket layers).
However, there may be other ways.
"Those could be the more expedient methods," Jones said. Technically savvy users could build their own trusted proxies using their own computers but "that does take some technical know-how to do," she added.
"There's tools out there which users can implement to protect themselves against stuff like this," McAfee's Marcus said. "The Electronic Freedom Foundation released the HTTPS Everywhere plug-in, which will protect you out of the box from Firesheep and similar code on Facebook and other sites."
Another tool, a Firefox extension called "Force-TLS", is available as a Firefox add-on. This lets websites to tell Firefox that they should be served through HTTPS.
Could the Mozilla Foundation, which developed the Firefox browser, have done more to prevent add-ins such as Firesheep from being put out?
Not really, Sophos Labs' Jones said. "Mozilla's running into the same problem Facebook is running into -- because they're trying to allow for innovation and new ideas to come through, they don't exert such tight control over their apps," she pointed out.
"Also, Mozilla's an open community; how many people do they have to vet software?" Jones asked.
"Firesheep is an add-on for Firefox created and distributed by a third-party developer," Mike Beltzner, Mozilla's director of Firefox, told TechNewsWorld. "It demonstrates a security weakness in a number of popular websites, but does not exploit any vulnerability in Firefox or other Web browsers. Mozilla recommends that websites start supporting HTTP-STS, which will be supported by default in Firefox 4."