Doublespeak

If you use your laptop or smartphone in places with free wi-fi such as Starbucks, you might be compromising your online identity. If you can access the hotspot without having to enter a password, it is a trivial matter for someone else who’s also on the network to gain access to your Gmail or Facebook accounts (among many others). Thanks to a Firefox extension released earlier this year, you don’t need to be a sophisticated hacker to do all this – all you need is to run the extension, and within a few minutes you can access the identities of other people on the network with a single click.

To understand how this works, and how you can protect yourself (to a large extent), we’ll have to go into a bit more detail about why it’s so easy to do this in the first place. When you access a website such as Gmail or Facebook, they store some information on your computer (A cookie) which tells the website who you are for future visits. If your browser supports cookies, it will send all the cookies for the website every time you visit it. (For example, when you visit Facebook, your browser will first send all the Facebook cookies to the server so that the server knows who you are. Cookies are only sent to the site that owns them, so your browser will not send your Gmail cookies to Facebook, but every time you visit any page on Facebook, you are transmitting cookies to the server)

It should now be clear that if you can send someone else’s cookies to Facebook, it would think that you are that other person. That’s the essence of ‘session hijacking’ whereby an attacker gains access to someone else’s cookies, thus effectively hijacking their session. But, if your cookie is on your computer, how can someone else get access to it? If you are on an open network, all your information is being sent in plain text between your browser and the server. Any ‘man in the middle‘ can ‘sniff’ your data packets and use them. When I ran the extension on an open network recently, I could have easily accessed the Facebook, Twitter, Gmail and Yahoo accounts of pretty much everyone else using a laptop in the room. (I did not, but it would’ve been trivial for someone else to do it) There’s a handler available for pretty much every popular online service, and it’s not hard to add a handler for a new website, if you can write a bit of code.

How can you protect yourself?

1. Avoid using wi-fi networks that do not require you to enter a password (example: Starbucks, Barnes & Noble and many coffee-shops)
2. If the wi-fi hotspot requires you to enter a password, make sure that it’s not WEP (If everyone is using the same password, then an attacker who has the password can decrypt all the packets being transmitted). WPA/WPA2 is more commonly used by wi-fi networks these days and they provide protection against your data being sniffed by someone while in transit. (Of course, every encryption scheme has some vulnerability which will come out at some point, but we are talking about protecting our data against script kiddies, not the NSA)
3. If you absolutely have to use a free network without a password, use a VPN. A VPN basically encrypts all communication (if configured to do so) from your computer, so irrespective of whether the wi-fi network uses encryption or not, your data packets will be encrypted. If you are on a corporate computer, you probably already have access to your company VPN. If you are on a personal network, you’ll have to do a bit more work to set up a VPN server at home (I’ll probably cover this in a different blog post) but if you have access to VPN, it’s trivial to get either OSX or Windows to use it when you are online.

Keep in mind that these vulnerabilities are not brand new – they’ve existed as long as wireless networks have existed, but it’s so trivial to exploit them right now that there’s a good chance that some kid is running a sniffer on the network you are using at the moment.