THE OAK RIDGE NORTH POLICE DEPARTMENT COMMUNITY INFORMATION / INTERNET ALERT
SEARCH High‐Tech Crime Training Services – Special Bulletin
Timothy M. Lott, SEARCH High‐Tech Crime Training Specialist
Lauren L. Wagner, SEARCH High‐Tech Crime Training Specialist
On Sunday, October 24, 2010, a new Mozilla Firefox add‐on called Firesheep was released as a
free download by software developer Eric Butler.
This add‐on makes it incredibly easy to “sidejack” non‐HTTPS login sites (for example, Facebook
and Twitter) when users connect to them over an open wireless network. Sidejacking is defined
as “intercepting and using the credentials from an unsecured web site login to hijack a web
session.”1 While the ability to sidejack is nothing new, this add‐on makes it feasible for anyone
to do it with alarming simplicity. No programming or “hacker skills” are required. As of the
writing of this bulletin, this add‐on has been downloaded over 340,000 times.
Takeovers can occur if a user connects to an open wireless network (such as at a coffee shop,
the airport, or a hotel) and then logs into their accounts. The four most popular Internet
browsers, mobile Internet browsers, and certain apps that run on portable devices are all
susceptible to this vulnerability. If a sidejacker is running Firesheep and users connect to their
susceptible accounts, the sidejacker will see a list of accounts on the left hand side of their
browser window (example 1). The sidejacker can then select any of those accounts from the
left‐hand side of their browser window and access that user’s account.
1 http://www.webopedia.com/TERM/S/SideJacking.html
Example 1: Instance of Firefox running Firesheep. Multiple websites have been captured, some with multiple users.
SEARCH has tested the Firesheep add‐on using Facebook, Twitter, Google, Yahoo!, Foursquare,
Tumblr, Yelp, and Amazon. We were able to access each website with varying levels of success.
In our initial and limited tests, it appears there are some cases where you can only view
information, while in other cases, you can take much more active control of a user’s account.
For example—
On Amazon.com, you can view a user’s Wishlist, but not make purchases or change settings;
In Yahoo!, you can preview the most recent email, but not read the full body and you can
view the Yahoo! messenger contact list, but not participate in chat; and
In Google, you can view and edit the full contact list (including phone contacts if the Gmail
account is synced to the Droid), but not view emails or change password settings.
Our testing showed that the most functionality, by far, is gained through Facebook, Twitter,
Foursquare and Tumblr. In Twitter, the sidejackers can tweet as you, send direct messages as
you, view all of your Twitter‐direct messages, and can change certain settings, including
deleting your current phone number and adding a new one. In Facebook, the sidejackers can
access all areas of your profile, send messages as you, intercept your chat messages, read your
Facebook emails, and change privacy settings, but the one thing that they are unable to do is to
change your password (example 2).
The Firesheep developer states that he will be adding support for more websites soon. The
complete list of websites Firesheep supports is available at
http://github.com/codebutler/firesheep/wiki/Handlers.
Example 2: This Facebook page has been sidejacked using the Firesheep add‐on. The sidejacker is accessing the account as the user.
Protection Methods
Do not connect to open wireless and log into any accounts.
If you are going to connect to open wireless networks and log in to these accounts, use
an ‘HTTPS’ log in (for example, type https:\\facebook.com rather than
http:\\facebook.com).
Use the Firefox Internet browser; there is an add‐on you can download that will
automatically direct you to all ‘HTTPS’ log ins so you do not have to remember to do so.
Download it at https://www.eff.org/https‐everywhere.
o SEARCH has not done any extensive testing of this add‐on and users download it at
their own risk.
‘HTTPS’ log ins are not possible with iPhone and iPad apps, so there is no way to protect
yourself when using those devices connected to open wireless.
o You are protected if you connect on these devices through the 3G connection.
Do not use open wireless at your residence.
Implications for Law Enforcement
This information about Firesheep is important for law enforcement to know not only for your
personal safety, but also for the implications it has for cases involving stalking, cyber‐bullying,
harassment, blackmail, identity theft, etc. Because sidejacking takes place on an open wireless
network, it would extremely difficult to locate the person who actually posted the information.
We know many of you have personal Facebook accounts and wanted to get this information to
you as soon as possible.
Address/Location
City of Oak Ridge North
27424 Robinson Rd
Oak Ridge North, TX 77385
Contact
Emergency: 9-1-1
Non-emergencies: 281-292-4762
Chief A.T. Walters
Administration
[email protected]
832-381-3212