Software:Firesheep
Developer(s) | Eric Butler |
---|---|
Stable release | 0.1-1[1]
|
Operating system | Microsoft Windows and Mac OS X (highly unstable on Linux) |
Available in | English |
Type | Add-on (Mozilla) |
Website | codebutler |
Firesheep was an extension for the Firefox web browser that used a packet sniffer to intercept unencrypted session cookies from websites such as Facebook and Twitter. The plugin eavesdropped on Wi-Fi communications, listening for session cookies. When it detected a session cookie, the tool used this cookie to obtain the identity belonging to that session. The collected identities (victims) are displayed in a side bar in Firefox. By clicking on a victim's name, the victim's session is taken over by the attacker.[2]
The extension was released October 2010 as a demonstration of the security risk of session hijacking vulnerabilities to users of web sites that only encrypt the login process and not the cookie(s) created during the login process.[3] It has been warned that the use of the extension to capture login details without permission would violate wiretapping laws and/or computer security laws in some countries. Despite the security threat surrounding Firesheep, representatives for Mozilla Add-ons stated initially that it would not use the browser's internal add-on blacklist to disable use of Firesheep, as the blacklist has only been used to disable spyware or add-ons which inadvertently create security vulnerabilities, as opposed to attack tools (which may legitimately be used to test the security of one's own systems).[4] Since then, Firesheep has been removed from the Firefox addon store.
A similar tool called Faceniff was released for Android mobile phones.[5]
See also
References
- ↑ Butler, Eric. "Firesheep – codebutler". http://codebutler.com/firesheep?c=1. Retrieved December 20, 2010.
- ↑ Steve Gibson, Gibson Research Corporation. "Security Now! Transcript of Episode No. 272". Grc.com. http://www.grc.com/sn/sn-272.htm. Retrieved November 2, 2010.
- ↑ "Firesheep Sniffs Out Facebook and Other User Credentials on Wi-Fi Hotspots". Lifehacker. October 25, 2010. http://lifehacker.com/5672313/sniff-out-user-credentials-at-wi+fi-hotspots-with-firesheep. Retrieved October 28, 2010.
- ↑ Keizer, Gregg (October 28, 2010). "Mozilla: No 'kill switch' for Firesheep add-on". Computer World. http://www.computerworld.com/s/article/9193420/Mozilla_No_kill_switch_for_Firesheep_add_on. Retrieved October 29, 2010.
- ↑ "Sniff and intercept web session profiles on Android". Help Net Security. June 2, 2011. http://www.net-security.org/secworld.php?id=11107. Retrieved June 2, 2011.
External links