Last Sunday a security group from Seattle, Washington demonstrated a Firefox extension that can hack computers using unsecured Wi-Fi connections. Though this is not anything new, the extension can steal information with just one click. The extension, called Firesheep, can capture social networking sites via an unsecured HTTP connection — social networking sites such as Facebook, Twitter, Flickr, and iGoogle using just a single click.
According to a report at threat post, The Kaspersky Lab Security News Service, it also stated that:
It’s no secret that Web sessions that use the bare HTTP protocol to transmit and receive data are susceptible to a variety of security attacks. What’s less clear is how much information is floating out there in the ether, especially with the rise of “Web 2.0” and rich social networking applications and other Web-based sharing tools.
But now a pair of researchers have created a tool to identify and capture the social networking sessions of those around you. The tool, a Firefox browser extension dubbed “Firesheep,” was demonstrated at the ToorCon Hacking Conference in San Diego on Sunday. Its primary purpose is to underscore the lack of effective transaction security for many popular social networking applications, including Facebook, Twitter, Flickr and iGoogle: allowing users to browse public wi-fi networks for active social networking sessions using those services, then take them over using a built-in “one-click” session hijacking feature.
Firesheep works on unencrypted wireless LAN connections with services that do not use secure HTTP.
The researchers, Ian Gallagher of Security Innovation in Seattle Washington, and Eric Butler, an independent security consultant, also of Seattle, demonstrated Firesheep before an audience at ToorCon on Sunday: surveying and then hijacking audience members’ Facebook and iGoogle sessions. They warned that, without wider use of secure transaction tools for end-to-end Web encryption like SSL, more users were likely to fall victim to such attacks.
The problem isn’t new, Butler said, but has been the “elephant in the room” since the birth of the Web and the HTTP protocol that is its lingua franca. While technologies like virtual private networking tools (VPN) can help deter snooping, but don’t provide end to end encryption of Web sessions and, thus, just “move the problem around,” Butler said.
If you use unsecured Wi-Fi connections to surf and post on social networking sites, you should be aware of the risks. What makes this threat so dangerous is that any idiot can click on the Firesheep extension and complete an attack.
But there is also a possible good outcome to this type of an attack. Google has already secured its email program called Gmail with https, so Firesheep will not work. There is also a suggestion by some security experts that Facebook will also use a secure system in which Firesheep will not work.
In the meantime, be careful where you surf and be aware that the bad guys are lurking.