New FireSheep-Style Tool Hijacks Twitter Sessions

Days after researchers at the ToorCon Security Conference in San Diego released a tool to hijack insecure Web sessions on Facebook, iGoogle and Flickr, a developer has released a similar tool, dubbed “Idiocy” that does the same for insecure Twitter sessions. 

Days after researchers at the ToorCon Security Conference in San Diego released a tool to hijack insecure Web sessions on Facebook, iGoogle and Flickr, a developer has released a similar tool, dubbed “Idiocy” that does the same for insecure Twitter sessions. 

There’s a twist, though. Rather than just monitor the unsecured Web sessions, the new tool allows the attacker to post a warning message using the Twitter account of the unsuspecting user (can we call them “Twidiots”?) 

The software is the creation of Jonty Wareing, a 26 year old software developer for Last.fm in London, UK. Wareing, who created idiocy “at 7 AM in a fit of irritation” and released it on github.com.  The program “quitely (sp) watches for people unsecurely (sp) visiting twitter on public wifi networks, then hijacks their session to post a tweet warning them about the dangers,” according to a description that accompanies the application.

Contacted using instant messenger, Wareing said he created the program after reading about FireSheep, the browser plugin that snooped on insecure social networking sessions

Like Firesheep, Idiocy simply streamlines an attack that is “as old as the hills.” “It’s been simple to exploit for many years, but there was always an entry barrier,” he wrote. Idiocy attempts to lower that barrier. The tool monitors unencrypted wifi traffic, extracting the cookie headers for domains (like Twitter.com) that its interested in. Idiocy then uses the cookies to send HTTP requests to the user’s Twitter account that tweet a message and link to an explanatory Web page set up on Wareing’s blog. The tweet reads “I browsed twitter insecurely on a public network and all I got was this lousy tweet.”  

“The main difference is that idiocy is designed to warn the user that they are vulnerable to attack,” wrote Waering, who claims his motivation was really to protect users. 

“Firesheep was released with only one defence plan, namely forcing websites to either support or enforce SSL (Secure Sockets Layer).  Currently unless users tunnel their traffic (which, let’s face it, most people can’t do), you have no option but to avoid public networks if you are using a website without full SSL support.”

However, Twitter does offer users the option of using an SSL secured site, accessible at https://twitter.com, so the solution to insecure tweeting is “very simple,” Wareing points out. 

Unlike Firesheep, which could be installed as a simple Firefox plugin, Idiocy requires a bit more tweaking and technical know-how. The app is built to run on Linux and OSX, but does not have out of the box support for Windows. Users on supported platforms must have Python installed as well as libpcap, phyhon-pcap and python-dpkt. Users must also switch their wireless networking interface to “monitor” mode to get it to work. 

Wareing hopes that the tool, if widely used, might add to the discussion that Firesheep started about the need for large scale SSL deployments.

“I do believe that Firesheep has been valuable (in) raising the profile of the problem, many people are now discussing large scale SSL deployment,” he wrote.

Since releasing the tool on Tuesday, he said he’s gotten “great response,” but couldn’t say how many people have downloaded and installed the tool. A search of Twitter for the Idiocy telltale tweet shows just three results, most believed to be friends or acquaintances of Wareing’s. 

He said he has no firm plans to continue development of the tool, but might add support for Facebook or other popular sites, but ruled out adding it to the Firesheep platform.

Suggested articles

Discussion

  • Anonymous on

    Even if you connect to twitter via ssl, the cookie isn't flagged as secure, as it should be. It may be more difficult to intercept and decipher, but it's available.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.