It’s simpler than ever to access the Internet. Airports, coffee spots, bookstores, and almost anywhere people linger now has the potential for high-speed laptop connectivity. We also take it for granted that our logins and passwords provide sufficient protection against hacking and identity theft, but this cautionary article on “sidejacking” will cause you to think again.
****BREAKING NEWS UPDATE: Click this link for report on Facebook’s new secure web connection!****
The guy sitting next to you in the coffee shop might actually be logging into your Facebook account, using the info beaming out your computer. It’s called “session hijacking” or “sidejacking” and despite it being a well-known vulnerability, most websites aren’t protecting their users from it. After a developer recently unveiled a user-friendly bit of code that makes “sidejacking” as easy a few mouse clicks, the problem is getting fresh attention.
How Easy Is Sidejacking to Do?
This part of the article actually scared me. I may know a lot about home security, but when it comes to the Internet security, I’ve clearly been making some incorrect assumptions.
I’ve tried it out. Within seconds I saw the sessions of everyone around me at the coffee shop, including my own Gmail session. If I wanted to, I could have changed people’s relationship statuses to “single.” I could have gotten access to information on their profile they thought was hidden, like their contact information, and if they were going to be home this weekend. It’s a stalker’s best friend. Or an identity thief’s.
Here’s the Technical Detail
See, if you’re connected over an open, unencrpyted wifi network, it’s terribly easy for someone to copy your “cookies,” the file stored on your computer containing, among other things, your login credentials. A lot of sites will protect the initial login using “HTTPS,” which encrpyts the session but then the rest of the session continues under HTTP. It’s like your cookies are getting tossed through the air all around the coffee shop!
What You Can Do
To protect yourself, when you’re not at home, avoid logging into websites that don’t use HTTPS. You can also install the Firefox extension “HTTPS Everywhere,” developed by the Electronic Frontier Foundation, which defaults all your sessions to HTTPS for several major websites like Facebook, Amazon, Paypal, and Twitter.
The article has a number of comments, and one comment describes a hack that has happened to more than one friend mine. Here’s some great advice:
Turn off sharing on your computer when you’re on public Wifi. People are getting their gmail accounts hacked and taken over. The hacker sends out an “I’m in trouble, need money” e-mail to your entire address book — after changing your secret question, etc., so you can’t get your e-mail account back. Your only alternative is shutting it down, and hoping none of your friends are dim enough to pay.
While this cyber-threat may not be the same as the social media risk topic we’ve addressed in prior posts, it’s clearly related – and at FrontPoint, we’re concerned about every aspect of your personal and home security. Whether it’s leading the field with the best ininteractive wireless home security, or warning you about what not to share on Facebook, FrontPoint is your partner for peace of mind.