New Firefox extension demonstrates worrisome security flaws

Nov. 9, 2010, 2:03 a.m.

A recently released extension for the Mozilla Firefox Web browser highlights a serious security flaw in many major websites, including Facebook, Amazon and Twitter. The extension, Firesheep, allows any user to impersonate another person on these websites and potentially induce heavy social consequences.

“It’s not really hacking into other people’s accounts because you don’t steal passwords,” said Zahan Malkani ’12, residential computer consultant (RCC) in East Florence Moore Hall. “This is essentially assuming other people’s identities.”

New Firefox extension demonstrates worrisome security flaws
(Eric Kofman/The Stanford Daily)

“To log in to one of these sites you need to log in and identify yourself, which creates a unique identifier,” he said. “But, you don’t need to identify yourself again at any page, and people in the same network with this plug-in can take your previously created unique identifier and be you.”

Because most Stanford students work on the same wireless network and the traffic is unencrypted–or not scrambled in a way that only the sender and receiver can understand–anyone can grab someone’s unique identifier authentication cookie as he or she interacts with the server.

“It’s like having a conversation in a public coffee house,” said Rinconada RCC Brian White ’12. “And anyone can hear other conversations and use that information.”

This general problem has been around since the beginning of these websites, except before it would take a particularly skilled programmer to work around the security flaws and actually obtain information. Now, Firesheep makes it simple for anyone with the same wireless connection to access other people’s accounts, allowing them to use anyone’s accounts on certain websites as if he or she were the actual owner.

Though the ramifications of the extension are mostly social consequences, an attack could seriously damage someone’s reputation or compromise personal information. For example, someone could impersonate another person on Facebook and change his or her status, or go through personal messages—the possibilities are extensive. As of now, there have been no reported cases of severely malicious use of this plug-in—most of the incidents have been more minor jokes or pranks—but it is still dangerous to be vulnerable to such a large community using the same wireless network.

“The most shocking thing is that it’s so easy to exploit,” White said. “The potential damages are obviously pretty major concerns, but the true fear is that these websites have such major security flaws.”

There are multiple ways to prevent such attacks from happening. On the website company’s side, the company could encrypt all traffic between the user and the server to protect other users from accessing it. However, this is a costly and lengthy process, so students cannot expect to rely on the companies for safety.

There are also simpler steps that the user may take to protect him or herself. There is currently a Firefox extension that a user can downloaded that requires sites to use a secure connection through HTTPS instead of the regular HTTP and encrypts every page visited. Using a wired connection would prevent such attacks as well. Simply remembering to log off these sites—in addition to not logging onto any of these websites at all—would also help prevent attacks, because the unique identifier is deleted once a session is over.

The University administration has already taken a firm stance against the use of the plug-in, White said.

“Basically, the administration equates using the plug-in to identity theft,” said White. “It’s a really stupid reason to get suspended from Stanford. They’re sending the message that this isn’t something to be played with lightly.”

Jose Valdez, a network administrator for academic computing services, also emphasized the severity of an infraction of this kind.

Forgery or other misrepresentation of one’s identity through electronic communication, like other types of communication, is a Fundamental Standard violation, Valdez said in an e-mail to The Daily, adding that prosecution under state or federal laws may apply.



Login or create an account