Case Study: Firesheep, A Real-World Example of Social Media Hacking

Firesheep, a Firefox extension created by software developer Eric Butler, allows anyone to access anyone else’s social media accounts so long as both parties are connected to an unsecured wireless network, such as a coffee shop’s free Wi-Fi. According to Butler, the attack is relatively simple and works by exploiting “cookies” on the user’s browser. As stated on the Firesheep site (http://codebutler.com/firesheep): “When logging into a website you usually start by submitting your username and password; if an account matching this information exists, you receive an automatic reply with a ‘cookie,’ which is used by your browser for all subsequent requests.”

If you log in to your bank’s web portal, the whole time you are checking your account you should see an “HTTPS” in the address bar. But this is not the case with all sites that allow a login. What many sites do is encrypt the login but then stop encrypting the rest of your browsing session, which means the user authentication can become vulnerable. An attacker can get a hold of the user “cookie” and basically have access to the user’s session. This problem is a real threat when you log in to accounts that do not properly handle the complete session over encrypted tunnels, like when you’re between client meetings and using the free wireless at Starbucks.

So anyone logging into Facebook or another social network from an open wireless network may be subject to attack and compromise. In the case of Firesheep—see Figure 5-1—this exploit was developed to expose the continued vulnerability of many of the leading social networks, generate awareness, and effect a change. This example is capturing traffic of other users on the open wireless network. Here you see a capture of Gary’s Facebook login.

Figure 5-1 Firesheep in action

Social media hacking can happen to anyone, just ask actor Ashton Kutcher. His Twitter account was compromised. The tweet read:

Ashton, you’ve been Punk’d. This account is not secure. Dude, where’s my SSL?

And with that, Ashton Kutcher learned about the dangers of Firesheep. The event occurred at 17:30 Pacific time, during the 2011 TED Conference. Presumably Kutcher was using an unsecured web session. A few minutes later, his Twitter name, @aplusk, was used to tweet out to 6.3 million followers who saw the message posted to his Twitter account:

P.S. This is for those young protesters around the world who deserve not to have their Facebook & Twitter accounts hacked like this. #SSL

To date there have been over 1.3 million downloads of the Firesheep plugin.

The backend of Firesheep uses WinPcap; it’s essentially sniffing network traffic, a technology that has been around for a long time. Putting Firesheep into a nice packaged installation is what made it so popular. As with any unencrypted traffic, an attacker can engage in various activities such as ARP poisoning and session hijacking. Encryption adds a lot of overhead, which is why some sites usually don’t encrypt the whole session over SSL. Forcing encryption would be expensive, but it’s the best defense against this type of attack, and in the end, the overhead is worth the security.

But, as with any arms race, there are technology countermeasures and procedural countermeasures. The company ZScaler released BlackSheep by Julien Sobrier. BlackSheep tricks Firesheep with a fake login cookie. It notifies the user when Firesheep has been detected, displaying the IP address of the attacker so you know a bad guy is in the room. In Figure 5-2, you can see the message displaying the IP that is running Firesheep.

Figure 5-2 BlackSheep notification of Firesheep

The result of some of these hacking stories is that social networks are making changes and addressing some security issues. Facebook has made encrypted login available. The whole session is not encrypted, however. Hopefully, all social networks will encrypt user access eventually—by default. Twitter, however, still does not force encryption.