A new Firefox plug-in is ruffling security feathers thanks to its ability to snatch Web browser cookies for sites such as Facebook and Twitter and gain access to user’s accounts. The plug-in, called Firesheep, lets users see Web pages they shouldn’t have access to and in many cases they can post as if they were the account owner.
“When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a ‘cookie’ which is used by your browser for all subsequent requests,” Firesheep developer Eric Butler said on his Web site.
With access to that initial cookie, someone could pose as the account owner and see anything the actual account owner would normally have access to including private messages. The process of intercepting those cookies is called “sidejacking.”
Firesheep: Snaging account authentication cookies on a network near you.
“On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy,” Mr. Butler said.
The Mac Observer’s tests showed that using the Firesheep plug-in only requires knowing how to install Firefox plug-ins. Once installed, the plug-in can be used to access the Facebook, Twitter, Yahoo!, Google and Amazon accounts of other users on the same network. The plug-in can intercept cookies for several other Web sites, too.
In TMO’s tests, we accessed a Facebook account and were able to post a message on the user’s wall as if we were the actual account owner.
Our tests also showed that using client apps on the iPhone and iPad, such as Twitter clients and Amazon’s own app, didn’t transfer information that Firesheep was able to intercept.
While the process of sidejacking isn’t new, Firesheep makes it surprisingly simple for nearly anyone to exploit the potential security flaw.
Fixing the problem for Web browsers requires sites to employ more secure communication protocols such as HTTPS or SSL. So far none of the companies TMO has contacted about the issue have replied.