Home > Articles > Security > General Security and Privacy

Firesheep, Fireshepherd, and Facebook: Understanding Session Hijacking

Firesheep is a tool that allows hackers to eavesdrop on unencrypted wireless networks and, in essence, hijack the browser session. Information technology professional Mike Chapple shows you how web authentication makes session hijacking possible, how Firesheep exploits these vulnerabilities, and the measures that website administrators, web developers, and end users can take to protect against session hijacking attacks.
Like this article? We recommend

Earlier this year, a developer named Eric Butler released a tool he called Firesheep that allows hackers to eavesdrop on unencrypted wireless networks and steal the sessions of other users who are logged on to popular websites. Firesheep allows the hacker to gain access to the accounts that users access on popular websites, including Facebook and Twitter. It works by exploiting a flaw that's been well-known, but inadequately addressed, for many years: session hijacking.

In this article, we take a look at the mechanisms behind web authentication that make session hijacking possible, how Firesheep exploits these vulnerabilities, and the measures that website administrators, web developers, and end users can take to protect against session hijacking attacks.

Web Authentication 101

You may know that web authentication relies upon small pieces of code known as cookies to manage the sessions of logged-in users. Here's a quick run-down on how the process generally works:

  1. User accesses a website that requires authentication.
  2. User provides a username and password to authenticate.
  3. The website logs the user in by verifying the password and provides the user's browser with a cookie that is used to uniquely identify the session.
  4. The user continues to access the website. Each time he or she requests a new page, the browser sends the cookie along with the request to remind the web server that the request is part of a previously authenticated connection.

In almost all cases, web developers and website administrators use HTTPS encryption to protect step 2 of this process, knowing that someone gaining access to an individual's username and password can easily gain access to his or her account. In many cases, they then switch back to an unencrypted HTTP connection for the remainder of the web traffic, including the exchange of the cookie.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.