Droidsheep: Firesheep in Droid’s Clothing


Remember Firesheep? Firesheep is a Firefox browser extension that was created to demonstrate the vulnerability of unencrypted session ID cookies from websites like Facebook and Twitter.

With Firesheep (and later, FaceNiff), a hacker is able to intercept these cookies, which contain login information, over a public wifi network. Then the hacker can log into your Facebook or Twitter account and access all of your account information.

But Firesheep wasn’t created by hackers. Firesheep was created by white hat hackers (meaning someone looking to exploit online vulnerabilities in order to get them fixed) to show the risk of unencrypted cookies. The whole point was to highlight how unsecure this information is in the hopes that Facebook and Twitter (and other companies) would take steps to improve their user security.

Session Hijacking and Session ID Cookies

With Firesheep (or later, FaceNiff), any hacker can intercept unencrypted session ID cookies from websites like Facebook over public wifi networks. This is known as session hijacking.

When you login to Facebook, Twitter, or any other website in which you have a user account, the site assigns you a session ID.  This session ID allows Facebook to remember who you are during all of your actions during that session (such as posting to a wall, making a status update, sending a message, etc.).

A hacker only has to pick this session ID cookie and then send back an action to Facebook (such as making a status update) with the same session ID. Facebook has no way of knowing that this is not you, since the session ID cookies are identical.

The Droidsheep Cometh

droidsheepEnter Droidsheep. Droidsheep works just like Firesheep, except the target is your Android smartphone. In that sense, it works similarly to FaceNiff. Except with Droidsheep and FaceNiff, all you need is a mobile phone.

The main difference between Droidsheep and FaceNiff is that the creator of Droidsheep has made the software open-sourced, which means that anyone can grab it and make their own version of it using the underlying technology.

Of course, the creator insists that this is software for testing the security of your accounts, and nothing more, and implores people to not use it to harm anyone. But then on the next page he writes (in all caps) that he is not responsible for any damages that could happen from his software.

So not only is this session hijacking now free, the code needed to perform this sort of thing is available to anyone who wants to use it. And we have a feeling that there are many wannabe hackers out there who are just itching to get their hands on this kind of software.

VPNs: The Achilles Heel of Session Hijacking Software
The best way to protect your sensitive information from session hijacking software is to use a VPN, like PRIVATE WiFi, which encrypts the data moving to and from your laptop. The encryption protects all your Internet communication from being intercepted by others in wifi hotspots.

Get Private Wifi   Protect your personal information.
Get DataCompress   Cut your mobile data usage.

Jared Howe

Jared Howe is PRIVATE WiFi’s Senior Manager, Product Marketing Communications. Working in high tech for over 15 years, Jared currently lives in Seattle with his wife, daughter, and their two cats.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.