- Web Authentication 101
- Session Hijacking Attacks and Firesheep
- Defending Against Firesheep
- Final Thoughts
Session Hijacking Attacks and Firesheep
Enter session hijacking attacks. An eavesdropper who manages to intercept any of the communications that take place during step 4 of the process (which is trivial on an unencrypted wireless network) can easily gain access to the cookie. Once the contents of the cookie are known, he or she can create a forged HTTP request that uses the cookie to gain access to the user's account.
Many popular websites, including Facebook and Twitter, have been vulnerable to this type of attack for many years. The only barrier to widespread exploitation was a woefully inadequate reliance upon security by obscurity. A relatively small number of people had the knowledge and expertise to carry out a session hijacking attack, and they often lacked the motivation. After all, major targets such as online banking, brokerage, and e-commerce sites encrypted all of their communications. Hijacking a social networking site session just didn't seem worth the effort.
Then along came Eric Butler with Firesheep, a tool that removed the barrier to entry and put session hijacking capability into the hands of anyone capable of installing a Firefox extension. A user wishing to steal sessions simply has to connect to an open wireless network, start Firesheep, and wait for the names of vulnerable users to appear on the screen. When an attractive target pops up, the attacker simply clicks on his or her name and gains full access to the session!