UK Twitter Session Hijacking Tool Follows Firesheep Flock

A London software developer has followed in the footsteps of the Firesheep extension for Firefox with his own tool targeting Twitter users using open WiFi.

Jonty Wareing’s tool is called “Idiocy” which he describes in a blog post as “a warning shot to people browsing the internet insecurely”. Unlike Firesheep, which targets a number of sites including Facebook and Flickr, Idiocy is specifically aimed at Twitter.

Tweeting For Idiots

“Idiocy is designed to warn people of the risks they’re taking on public WiFi networks,” Wareing blogged. “While quietly running in the background Idiocy watches for people visiting Twitter insecurely, hijacks the session and posts a tweet warning them that they are vulnerable, with a link to a page explaining what has happened.”

“Given that most Websites will not be making SSL [secure sockets layer] the default any time soon, the only option is to educate people,” he added. “Run Idiocy on your laptop and make people aware.”

Eric Butler, one of the researchers who released Firesheep, had a similar stated purpose.

“The real story here is not the success of Firesheep but the fact that something like it is even possible,” he blogged. “The same can be said for the recent news that Google Street View vehicles were collecting Web traffic. It should not be possible for Google or anybody to collect this data, whether intentional or not… True success will be when Firesheep no longer works at all.”

Firesheep has been downloaded more than 339,000 times in the past few days. With Firesheep installed, attackers can target anyone on the same wireless network visiting non-encrypted sites recognised by the tool. Both programs are focused on HTTP session hijacking, a well-known problem that occurs when an attacker gets hold of a user’s cookie.

Researchers have released several other tools over the years to exploit the issue as well.

In a joint blog post, Butler and research partner Ian Gallagher noted that the problem really is not open WiFi, but the failure of many Web sites to support SSL. In addition, a password-protected (WPA2) wireless network only requires attackers perform one more step – such as DNS spoofing – to carry out the attack, according to the blog post.

Users can mitigate the issue with virtual private networks or extensions like Firefox’s HTTPS-Everywhere, but none of these is a silver bullet, they wrote. The only real solution is properly implemented SSL/HTTPS.

Due to Firesheep’s publicity, there will likely be more forced HTTPS offerings for other browsers soon, opined Sean Sullivan, security advisor for F-Secure.

“Google moved Gmail completely to HTTPS after the Aurora attacks,” he said. “The fix costs money, CPU power is required to provide encryption… so if it isn’t broke, it won’t be fixed. Some vendors, such as Facebook, may decide that their business requires full encryption, as they’re already a target. But Flickr? I can’t see a way to leverage attacking that as easily, so I imagine full HTTPS would be slow in coming.”

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago