Monday, October 25, 2010

New Firefox Add-on Hijacks Facebook, Twitter Sessions

Computerworld - A new Firefox extras lets "pretty sufficient anyone" indicate a Wi-Fi network and steal others' access to Facebook, Twitter and a horde of other services, a safety assistant professor warned today.

The add-on, dubbed "Firesheep," was expelled Sunday by Eric Butler, a Seattle-based freelance Web focus developer, at the ToorCon safety conference, that ran October 22-24 in San Diego, Calif.

Butler mentioned he combined Firesheep to uncover the risk of accessing unencrypted Web sites from open Wi-Fi spots.

Although it's familiar for sites to encrypt user log-ons with or SSL, couple of encrypt the real traffic. "This leaves the cookie, and the user, vulnerable," mentioned Butler in a post to his personal blog . "On an open wireless network, cookies are essentially announced by the air, creation these attacks exceedingly easy."

With a user's cookie in hand, a crook can do anything the user can do on a site, Butler noted. Among the sites that Firesheep can steal are Facebook , Twitter , Flickr, bit.ly, Google and Amazon.

Butler did not respond to an talk solicit Monday.

"None of this is new, the smirch of course isn't," mentioned Richard Wang, the U.S. executive of SophosLabs, the investigate arm of U.K.-based safety firm Sophos. "But Firesheep creates it so easy to discover [unencrypted traffic and cookies] that flattering sufficient any person can use it to attend to what others are carrying out at open hotspots."

Firesheep adds a sidebar to Mozilla's Firefox browser that shows when any person on an open network -- such as a coffee shop's Wi-Fi network -- visits an uncertain site. "Double-click on someone [in the sidebar] and you're now logged on as them," mentioned Butler in his partial outline of his add-on.

The extras appears to be irresistible: Since Butler posted Firesheep on Sunday it's been downloaded scarcely 50,000 times.

Butler combined Firesheep to express the wide-ranging complaint of unencrypted sites and open networks. "Web sites have a shortcoming to safeguard the people who rely on their services," he said. "They've been ignoring this shortcoming for as well long, and it's time for everybody to urge a more secure Web. My hope is that Firesheep will help the users win."

Wang was wannabe that the extras would hasty more sites to encrypt their sessions. "The hope here is of increased use of he said. But he moreover urged more open network to secure users, nonetheless he concurred the logistics -- handing out passwords vital to link up -- would be daunting. "It's the aged 'security-versus-convenience' argument," he noted.

Continue Reading

No comments:

Post a Comment