[Sidejacking is a….] Term used to describe the malicious act of hijacking an engaged Web session with a remote service by intercepting and using the credentials that identified the user/victim to that specific server. Typically, SideJacking is most common on sites that require authentication through a username and password, such as online Web mail accounts as well as social networking sites. SideJacking works only if the site catches a non-SSL cookie, so any Web site that uses SSL exclusively would be safe from SideJackers. SideJacking was first demonstrated by Robert Graham, CEO of Errata Security at Black Hat in 2007. (Source: Webopedia)
Wow, how fascinating to read about this and that it happens. Sidejacking (a.k.a. “cookie sniffing”) apparently involves stealing your social network (e.g. Facebook) login and cookies while you use an unencrypted connection. Unencrypted connections can be observed when your browser is not using “https:” to connect to a site that should be encrypted. And, surprising to me, it affects Gmail (like when you’re using a WiFi hotspot when you’re on the road)! Here’s my list of Virtual Private Network software/services that may help mitigate this issue.
When you open your laptop and connect to a WiFi hotspot, it usually presents you with a login page, or a page that forces you to accept their terms and conditions. During this time, SSL will be blocked. Gmail will therefore backoff and attempt non-SSL connections. These also fail – but not before disclosing the cookie information that allow hackers to sidejack your account. (Read update)
Here’s an excerpt from a must-read blog entry from Eric Butler explaining it:
It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking“) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.
I didn’t know it, but apparently, you can use a new Firefox browser add-on “FireSheep“ to capture this unsecured information. Unfortunately, I had trouble getting Firesheep to work on my up to date browser installations (e.g. Firefox, Flock)…but how hard would it be to get an “old” version of Firefox and try that out? I’m definitely going to test this on MY account and see what happens.
For folks who want to prevent unauthorized capturing of their data, the following two add-ons for Mozilla Firefox should address the issue; these add-ons force connections to be encrypted (HTTPs).
Alexia Tsotsis (TechCrunch) offers advice on how to address this:
HTTPS encrypts user data, so if a script like Firesheep’s like tries to pull it, it can’t be read. Force-TLS forces a number of sites to make all of their requests over an SSL secured channel and while some sites, like Amazon, don’t currently have the secure option, the majors like Facebook, Twitter, Google, etc all allow a HTTPS connection.
The two add-ons that will fix this problem for Mozilla Firefox include the ones listed below:
- Force-TLS –
- HTTPS Everywhere – This product is in beta and available from the same folks who bring you The Onion Router (TOR), which allows you to bypass firewalls and filtering. Hmm….
More discussion on this online…the question going around in my head is, “This affects other browsers. It’s not just about Firefox. What happens with those? How do you force HTTPs in Internet Explorer? Chrome?” I’m not sure I have a complete understanding of all this.
Bookmark this on Delicious
Subscribe to Around the Corner-MGuhlin.org
Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure