New Twitter Session Hijacking Tool Follows Firesheep
A London software developer has followed in the footsteps of the Firesheep extension for Firefox with his own tool targeting Twitter users leveraging open WiFi.
Jonty Wareing's tool is called "Idiocy," which he describes in a blog post as "a warning shot to people browsing the internet insecurely." Unlike Firesheep, which targets a number of sites including Facebook and Flickr, Idiocy is specifically aimed at Twitter.
"Idiocy is designed to warn people of the risks they're taking on public WiFi networks," Wareing blogged. "While quietly running in the background Idiocy watches for people visiting Twitter insecurely, hijacks the session and posts a tweet warning them that they are vulnerable, with a link to a page explaining what has happened."
"Given that most Websites will not be making SSL [secure sockets layer] the default any time soon, the only option is to educate people," he added. "Run Idiocy on your laptop and make people aware."
Eric Butler, one of the researchers who released Firesheep, had a similar stated purpose.
"The real story here is not the success of Firesheep but the fact that something like it is even possible," he blogged. "The same can be said for the recent news that Google Street View vehicles were collecting web traffic. It should not be possible for Google or anybody to collect this data, whether intentional or not...True success will be when Firesheep no longer works at all."
Firesheep has been downloaded more than 339,000 times in the past few days. With Firesheep installed, attackers can target anyone on the same wireless network visiting non-encrypted sites recognized by the tool. Both programs are focused on HTTP session hijacking, a well-known problem that occurs when an attacker gets a hold of a user's cookie. Researchers have released several other tools over the years to exploit the issue as well.
In a joint blog post, Butler and research partner Ian Gallagher noted that the problem really is not open WiFi, but the failure of many Web sites to support SSL. In addition, a password-protected (WPA2) wireless network only requires attackers perform one more step - such as DNS spoofing - to carry out the attack, according to the blog post.
Users can mitigate the issue with virtual private networks or extensions like Firefox's HTTPS-Everywhere, but none of these is a silver bullet, they wrote. The only real solution is properly implemented SSL/HTTPS.
Due to Firesheep's publicity, there will likely be more forced HTTPS offerings for other browsers soon, opined Sean Sullivan, security advisor for F-Secure.
"Google moved Gmail completely to HTTPS after the Aurora attacks," he said. "The fix costs money, CPU power is required to provide encryption... so if it isn't broke, it won't be fixed. Some vendors, such as Facebook, may decide that their business requires full encryption, as they're already a target. But Flickr? I can't see a way to leverage attacking that as easily, so I imagine full HTTPS would be slow in coming."
*This story was updated to add more current statistics about the number of Firesheep downloads.