Tuesday, October 26, 2010

Firesheep lets anyone hack into your social network accounts on public networks

After the Toorcon 12 hacker conference in San Diego on Sunday, public and Open WiFi networks cannot be trusted for security any more. Eric Butler, a freelance web application and software developer from Seattle, WA revealed to the world a free Firefox Plug-in called "Firesheep".
This plugin take advantage of the a security issue which is very prevalent across an array websites which include Facebook and Twitter. When logging into a website you usually start by submitting your username and password. The remote server then verifies the information to see if an account matching with the provided information exists and if so, replies back to device with a "cookie" which is used by your browser for all subsequent requests or information transfer.

The biggest security issue is the fact that the session takes place as an unsecured HTTP session. As a results the cookies can be tapped in and stolen. These stolen cookies can be used by a person to get into the victim persons account if they are on the same network (IP address).
This issue is a very well know but yet social network websites fail to take a note of it. Although the account can be hacked into, the users password still remains private. The hacker has the power to access all info on the profile plus change account info at his will. And now with a firefox extention available for free any common user can hack into someones account on a public or Open WiFi network with ease.

How to prevent getting hacked on public network
Although the problem is grave there is a solution to it. To prevent your cookies from being captured you need to have either a HTTPS encription or a SSL encryption we hope social network websites make SSL encryption as standard soon. As of now there is a plug-in available by the name HTTPS Everywhere which forces the browser to use HTTPS on every page where it is available. This will not let hacker get hold of your cookies. Its available here
Scroll down to the bottom of the page click on "https-everywhere-0.2.2.xpi".
Or simply click here to install restart your browser and you should be protected.

List of sites vulnerable through Firesheep
Foursquare, Gowalla, Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, WordPress, Yahoo and Yelp.

This video will let you know more

No comments: