Session Hijacking Made Easy

October 27, 2010

The past ten years or so have seen tremendous growth in the use of wireless networking, sometimes called “Wi-Fi”, among most groups of Internet users.  Getting rid of the umbilical cord connecting one’s laptop to a wired network has certainly been a convenience, and made working while at least somewhat mobile a much more practical proposition.  Free or low-cost public wireless access is now offered by many public libraries, coffee shops, shopping centers, and other places.   This has prompted security folks to warn that, since Wi-FI is using radio transmissions, it is in principle possible for others to listen in on one’s Internet session, possibly intercepting login credentials, for example.  For private Wi-Fi facilities, like those in a business or a home,  this can be addressed by encrypting the entire wireless network; open public Wi-Fi networks, however, typically do not use encryption.   Many Web sites also ensure that their login transactions are done over a secure connection (usually indicated in the browser by a little lock icon).

But public networks are still dangerous.  Hyper-Text Transfer Protocol [HTTP], the core protocol of the Web, was designed to be a “connectionless” (or stateless) protocol, focused only on requests for pages, and responses to those requests.  The entire idea of a logged-in session at a Web site was more or less grafted on top of HTTP, principally by using cookies, small bits of text that are stored by the client browser, and are used to pass information back and forth.  You may have seen notices at Web sites to the effect that “you must have cookies enabled to log in”.   In general, when you log in, the site returns a cookie to your browser; the cookie, in effect, contains a temporary secret that allows you access to the site, because your browser returns its value with subsequent requests.

This means that someone who can  eavesdrop on your unencrypted Wi-Fi session can capture the value of the login cookie, and use it to impersonate you, at least for a time.  To do this has generally required a bit of detailed networking knowledge.  Now, however, according to a report at ThreatPost, a pair of security researchers has developed a proof-of-concept extension for the Firefox browser, which basically allows “one click” session hijacking on an unprotected wireless network, to dramatize the risks involved.

But now a pair of researchers have created a tool to identify and capture the social networking sessions of those around you. The tool, a Firefox browser extension dubbed “Firesheep,” was demonstrated at the ToorCon Hacking Conference in San Diego on Sunday. Its primary purpose is to underscore the lack of effective transaction security for many popular social networking applications, including Facebook, Twitter, Flickr and iGoogle: allowing users to browse public wifi networks for active social networking sessions using those services, then take them over using a built-in “one-click” session hijacking feature.

The Firesheep extension is set up to automatically detect and log sessions from some popular services, like Facebook.  It is important to emphasize that using a secure connection for the login transaction will not prevent this attack, because the session is hijacked after the login is completed, by “sniffing” the session cookie(s).  (Slides from the ToorCon conference presentation are available here.)

One way to avoid this risk is, of course, never to use public wireless networks for anything remotely confidential.  Another, somewhat less drastic, risk mitigation, described in a post at TechCrunch,  involves installing another Firefox extension called Force-TLS.   This will attempt to force the use of an encrypted session for Web sites specified by the user.  This solution is not perfect; some sites may not be able to serve all their content using secure connections, even if, for the most part, the site supports it.  (Some more technical detail is available at the developer’s site.)  Some sites have resisted making full secure sessions available, arguing that it would adversely affect performance.  It is worth noting that Google’s GMail service began offering full SSL session encryption in January; according to Google, the impact was minimal: “We had to deploy no additional machines, and no special hardware.”†

Still, I think that raising people’s awareness of this risk is an important first step in making the Web more secure.  I hope it will motivate Web site developers to take their part of the security responsibility seriously, by supporting secure connections properly.

If you use GMail, you should turn the full SSL feature on.  To do this, go to your GMail account.  Click on Settings in the top right corner of the page.  Click on the General tab.  The fifth item down is Browser Connection; select “Always Use https“.

%d bloggers like this: