Firefox add-on lets hackers hijack user accounts

A free Firefox add-on allows easy access to other users' password-protected accounts at social networks and other sites - without even needing to steal login details.

Eric Butler created the add-on, Firesheep, for Windows and Mac OS X, in the hope of getting Facebook and others to improve their site security.

Unveiling the software to delegates at the Toorcon hacking conference in San Diego on Sunday, Butler explained that Firesheep takes advantage of a technique called 'sidejacking' to exploit a loophole in the site's security.

When users log into a secure web site, they're asked to submit a username and password. The server then checks to see that an account matching the username exists and, if so, that the password matches the one it has saved in its records.

If the answer to both of these questions is 'yes', then it sends back a 'cookie' to the user's computer, which the browser will use to uniquely identify itself for all future requests in that session.

The problem Butler identified was that although the password and login information is securely encrypted for transmission, the cookie that's sent back is not.

Any hacker who can intercept the cookie will be able to do anything that the user can, for as long as they're signed in. As Butler says on his blog, if you're logged on to an open wireless network, cookies are "basically shouted through the air" - making this kind of attack extremely easy.

Once installed, Firesheep adds an extra sidebar to the user's browser. All the user needs to do is connect to an open Wif-Fi network and click the 'Start Capturing' button to harvest other users' cookies.

Butler has released the tool to highlight what he sees as a major security flaw, in the hope that web sites will adopt the only effective fix for the problem: end-to-end encryption of all traffic between user and website using Secure Sockets Layer (SSL).

"Facebook is constantly rolling out new 'privacy' features in an endless attempt to quell the screams of unhappy users," Butler complained on his blog, "but what's the point when someone can just take over an account entirely?"