Your Facebook Login Can Get Jacked By A Monkey With A Mouse

The guy sitting next to you in the coffee shop might actually be logging into your Facebook account, using the info beaming out your computer. It’s called “session hijacking” or “sidejacking” and despite it being a well-known vulnerability, most websites aren’t protecting their users from it. After a developer recently unveiled a user-friendly bit of code that makes “sidejacking” as easy a few mouse clicks, the problem is getting fresh attention.

I’ve tried it out. Within seconds I saw the sessions of everyone around me at the coffee shop, including my own Gmail session. If I wanted to, I could have changed people’s relationship statuses to “single.” I could have gotten access to information on their profile they thought was hidden, like their contact information, and if they were going to be home this weekend.

It’s a stalker’s best friend. Or an identity thief’s.

See, if you’re connected over an open, unencrpyted wifi network, it’s terribly easy for someone to copy your “cookies,” the file stored on your computer containing, among other things, your login credentials.

A lot of site will protect the initial login using “HTTPS,” which encrpyts the session but then the rest of the session continues under HTTP. It’s like your cookies are getting tossed through the air all around the coffee shop!

To protect yourself, when you’re not at home, avoid logging into websites that don’t use HTTPS.

You can also install the Firefox extension “HTTPS Everywhere,” developed by the Electronic Frontier Foundation, which defaults all your sessions to HTTPS for several major websites like Facebook, Amazon, Paypal, and Twitter.

Chrome users can use KB SSL Enforcer, which automatically detects if a website
supports SSL and automatically redirects you to it.

Commenter ovalseven recommends downloading HotspotShield (free), which encrypts your browsing with HTTPS, on any browser and OS by setting up your own VPN (works on iPhone too).

(Hat tip to Brandon Savage!)