The big news of the week, emanating from Toorcon 12, is the release of Firesheep. This tool makes SideJacking – that is, “hijacking an engaged Web session with a remote service by intercepting and using the credentials that identified the user/victim to that specific server” – painfully simple for anybody to use. How easy? Well, let’s see… you download and install Firefox… and then you download and install the Firesheep extension to Firefox… and then you restart Firefox and run the tool to start hijacking sessions… that’s it! Simple enough for ya?
SideJacking is not a new concept, nor is the existence of tools. Robert Graham of Errata Security made a bit of a splash with his tool Hamster back at Black Hat 2007 (also see “Wi-Fi SideJacking opens eyes at BlackHat“). And, really, the concept of intercepting and hijacking sessions is even older than that. Poor session management continues to be on the OWASP Top 10 list, as does the lack of adequate transport layer protection (that is, SSL/TLS for web sites).
What is most interesting about this problem – as is true of so many webappsec issues today – is that these are well-known issues that are trivially resolved, and yet in 10+ years of webdev evolutions we’ve seen NO PROGRESS. Says Eric Butler, author of Firesheep, in his announcement:
“This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new “privacy” features in an endless attempt to quell the screams of unhappy users, but what’s the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.”
Butler today then commented about all the media coverage his tool and this issue has now received, but wonders if this will really lead to any changes.
“The real story here is not the success of Firesheep but the fact that something like it is even possible. The same can be said for the recent news that Google Street View vehicles were collecting web traffic. It should not be possible for Google or anybody to collect this data, whether intentional or not. Going forward the metric of Firesheep’s success will quickly change from amount of attention it gains, to the number of sites that adopt proper security. True success will be when Firesheep no longer works at all.”
Quick Tips for End-Users (Consumers):
- Be extremely cautious using public WiFi. If you have mobile broadband, then this is a recommended interim solution, though bear in mind that intercepting mobile communications over 3G networks like GSM is becoming cheaper and easier (see the Wired article “Hacker Spoofs Cell Phone Tower to Intercept Calls” about Chris Paget’s DEFCON 18 presentation).
- Install either the HTTPS Everywhere or Force-TLS Firefox extension. TechCrunch has an article up titled “How To Protect Your Login Information From Firesheep” that provides a good explanation of how to use these tools.
- Change your passwords regularly. As a precaution, you should make a habit of changing passwords to key sites on a regular basis. In some cases, the credentials intercepted are your actual username+password. If the username is your email address and you reuse passwords across sites, then an attacker now has access to more than just the one hijacked site session.
Quick Tips for Developers:
- Use transport encryption (SSL/TLS) for all authenticated sessions.
- Learn how to avoid broken authentication and session management issues.
- Get software security training!
- Integrate app security testing into the existing dev process.