Firesheep, Fireshepherd, and Facebook: Understanding Session Hijacking
Earlier this year, a developer named Eric Butler released a tool he called Firesheep that allows hackers to eavesdrop on unencrypted wireless networks and steal the sessions of other users who are logged on to popular websites. Firesheep allows the hacker to gain access to the accounts that users access on popular websites, including Facebook and Twitter. It works by exploiting a flaw that's been well-known, but inadequately addressed, for many years: session hijacking.
In this article, we take a look at the mechanisms behind web authentication that make session hijacking possible, how Firesheep exploits these vulnerabilities, and the measures that website administrators, web developers, and end users can take to protect against session hijacking attacks.
Web Authentication 101
You may know that web authentication relies upon small pieces of code known as cookies to manage the sessions of logged-in users. Here's a quick run-down on how the process generally works:
- User accesses a website that requires authentication.
- User provides a username and password to authenticate.
- The website logs the user in by verifying the password and provides the user's browser with a cookie that is used to uniquely identify the session.
- The user continues to access the website. Each time he or she requests a new page, the browser sends the cookie along with the request to remind the web server that the request is part of a previously authenticated connection.
In almost all cases, web developers and website administrators use HTTPS encryption to protect step 2 of this process, knowing that someone gaining access to an individual's username and password can easily gain access to his or her account. In many cases, they then switch back to an unencrypted HTTP connection for the remainder of the web traffic, including the exchange of the cookie.