UK Twitter Session Hijacking Tool Follows Firesheep Flock

A London software developer has followed in the footsteps of the Firesheep extension for Firefox with his own tool targeting Twitter users using open WiFi.

Jonty Wareing’s tool is called “Idiocy” which he describes in a blog post as “a warning shot to people browsing the internet insecurely”. Unlike Firesheep, which targets a number of sites including Facebook and Flickr, Idiocy is specifically aimed at Twitter.

Tweeting For Idiots

“Idiocy is designed to warn people of the risks they’re taking on public WiFi networks,” Wareing blogged. “While quietly running in the background Idiocy watches for people visiting Twitter insecurely, hijacks the session and posts a tweet warning them that they are vulnerable, with a link to a page explaining what has happened.”

“Given that most Websites will not be making SSL [secure sockets layer] the default any time soon, the only option is to educate people,” he added. “Run Idiocy on your laptop and make people aware.”

Eric Butler, one of the researchers who released Firesheep, had a similar stated purpose.

“The real story here is not the success of Firesheep but the fact that something like it is even possible,” he blogged. “The same can be said for the recent news that Google Street View vehicles were collecting Web traffic. It should not be possible for Google or anybody to collect this data, whether intentional or not… True success will be when Firesheep no longer works at all.”

Firesheep has been downloaded more than 339,000 times in the past few days. With Firesheep installed, attackers can target anyone on the same wireless network visiting non-encrypted sites recognised by the tool. Both programs are focused on HTTP session hijacking, a well-known problem that occurs when an attacker gets hold of a user’s cookie.

Researchers have released several other tools over the years to exploit the issue as well.

In a joint blog post, Butler and research partner Ian Gallagher noted that the problem really is not open WiFi, but the failure of many Web sites to support SSL. In addition, a password-protected (WPA2) wireless network only requires attackers perform one more step – such as DNS spoofing – to carry out the attack, according to the blog post.

Users can mitigate the issue with virtual private networks or extensions like Firefox’s HTTPS-Everywhere, but none of these is a silver bullet, they wrote. The only real solution is properly implemented SSL/HTTPS.

Due to Firesheep’s publicity, there will likely be more forced HTTPS offerings for other browsers soon, opined Sean Sullivan, security advisor for F-Secure.

“Google moved Gmail completely to HTTPS after the Aurora attacks,” he said. “The fix costs money, CPU power is required to provide encryption… so if it isn’t broke, it won’t be fixed. Some vendors, such as Facebook, may decide that their business requires full encryption, as they’re already a target. But Flickr? I can’t see a way to leverage attacking that as easily, so I imagine full HTTPS would be slow in coming.”

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

4 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

4 days ago