The Firefox Firesheep extension has helped give birth to a similar tool targeted at Twitter.
A London software developer has followed in the footsteps of the Firesheep extension for Firefox
with his own tool targeting Twitter users leveraging open WiFi.
Jonty Wareing's tool is called "Idiocy,"
which he describes in a blog post as "a warning shot to people browsing
the internet insecurely." Unlike Firesheep, which targets a number of
sites including Facebook and Flickr, Idiocy is specifically aimed at
"Idiocy is designed to warn people of the risks they're taking on
public WiFi networks," Wareing blogged. "While quietly running in the
background Idiocy watches for people visiting Twitter insecurely, hijacks the session and posts a tweet
warning them that they are vulnerable, with a link to a page explaining what has happened."
"Given that most Websites will not be making SSL [secure sockets
layer] the default any time soon, the only option is to educate
people," he added. "Run Idiocy on your laptop and make people aware."
Eric Butler, one of the researchers who released Firesheep, had a similar stated purpose.
"The real story here is not the success of Firesheep but the fact that something like it is even possible," he blogged
"The same can be said for the recent news that Google Street View
vehicles were collecting web traffic. It should not be possible for
Google or anybody to collect this data, whether intentional or not...True
success will be when Firesheep no longer works at all."
Firesheep has been downloaded more than 339,000
in the past few days. With Firesheep installed, attackers can target
anyone on the same wireless network visiting non-encrypted sites
recognized by the tool. Both programs are focused on HTTP session
hijacking, a well-known problem that occurs when an attacker gets a
hold of a user's cookie. Researchers have released several other tools
over the years to exploit the issue as well.
In a joint blog post, Butler and research partner Ian Gallagher
noted that the problem really is not open WiFi, but the failure of many
Web sites to support SSL. In addition, a password-protected (WPA2)
wireless network only requires attackers perform one more step - such
as DNS spoofing - to carry out the attack, according to the blog
Users can mitigate the issue with virtual private networks or
extensions like Firefox's HTTPS-Everywhere, but none of these is a
silver bullet, they wrote. The only real solution is properly
Due to Firesheep's publicity, there will likely be more forced HTTPS
offerings for other browsers soon, opined Sean Sullivan, security
advisor for F-Secure.
"Google moved Gmail completely to HTTPS after the Aurora attacks,"
he said. "The fix costs money, CPU power is required to provide
encryption... so if it isn't broke, it won't be fixed. Some vendors,
such as Facebook, may decide that their business requires full
encryption, as they're already a target. But Flickr? I can't see a way
to leverage attacking that as easily, so I imagine full HTTPS would be
slow in coming."
*This story was updated to add more current statistics about the number of Firesheep downloads.