Can you please explain what sidejacking is and how to avoid it? Thanks
This question was answered on October 26, 2010. Much of the information contained herein may have changed since posting.
Sidejacking refers to the ability to hijack a web session on another computer that is connected to the same open Wi-Fi network (someone sitting by your side, hijacking your web surfing session).
This exploit originally surfaced in early 2008, but at the time, only sophisticated technical types could setup a laptop to accomplish this feat and the time it took to assemble the bits of captured data made it uncommon in the wild.
It’s always been dangerous to conduct private business on public Wi-Fi networks, but the danger just elevated 1,000 fold this past week.
A programmer at a hacker conference in San Diego released a free add-on to the Firefox browser to illustrate how dangerous it is to login to any unsecured website on a public hotspot.
Anyone that downloads the plug-in can start monitoring the traffic on any open Wi-Fi network and capture the ‘session cookies’ that are common to how most websites work with registered users.
For instance, when you sign into your Facebook account, a session cookie is sent back to your machine for any other requests you make during that session (so you don’t have to constantly input your username and password) Once you log off, the session cookie is terminated and is no longer of use.
If someone sitting near you (30 to 100 feet) is on the same unsecured network, they can literally snatch a copy of the session cookie out of the air and start using your account as if you had just logged into their computer.
The tool comes pre-loaded with the ability to recognize session cookies from dozens of major online networks including Amazon, Flickr, Foursquare, Google, Yahoo, Facebook, Twitter, Bit.ly, Windows Live, Wordpress and the list goes on.
Any website can be added to the ‘watchlist’ so that session cookies from just about any unsecured transaction can be captured.
To be clear, banking sites or other secure websites that use the “HTTPS” protocol on all pages cannot be exploited by this tool, only exchanges that are unsecured (HTTP), which is how many sites operate once you log in.
This tool has turned every wannabe hacker into a one-click hijacker which is why things just got more dangerous for public Wi-Fi users In my tests, any device (including smartphones and iPads) that use a browser to login to an unsecured site can be hijacked by this tool.
There are a number of ways to avoid getting hijacked that range from changing your behavior to installing special software.
First and foremost, don’t ever login to any of your e-mail, shopping or social networking accounts through a web browser on a public network ever again (or install the add-ons in the next paragraph)
If you have a smartphone that you occasionally use on public Wi-Fi (because it’s faster than the cell data networks), download the associated social media apps instead of going to Twitter.com or Facebook.com on a web browser.
If you want to make sure your web browsing sessions are not captured while on public Wi-Fi networks, you can install a free Firefox add-on called Force TLS (http://bit.ly/9CzNPE) or if you use Google’s Chrome, install KB SSL Enforcer (http://bit.ly/d5thKD) both of which automatically redirect you to secured pages for the sites that you choose.
If you have a cellular broadband data card or stick, use it instead of the public Wi-Fi hotpot unless you don't plan to login to any websites It will be slower, but its much more secure.
If your laptop is part of a corporate network, it may already have VPN (Virtual Private Networking) software installed, which will also protect you.
All of these security programs will add ‘overhead’ to your sessions and in some cases functionality may be impacted (Facebook chat doesn’t seem to work in secured https: sessions) but the tradeoff is more than worth it.
About the author
Posted by Ken Colburn of Data Doctors on October 26, 2010