See how your Facebook, Google, and other accounts can now be broken into through social widgets and see a new feature in Disconnect that protects you. Get Disconnect and the feature on our homepage.
Two years ago, a Firefox add-on named Firesheep demonstrated the longstanding trouble with Wi-Fi security. Eavesdropping on wireless traffic was and is probably the biggest security threat to most web users.
When you connect to a wireless network, your computer or mobile device sends and receives data similarly to a radio. Unless the data is encrypted by the network or sites you go to, anybody else with access to the network might be “tuning in” to view your search history, read your email messages, steal your credit-card info, and so on.
A wireless network can add encryption by using one of a few different security protocols, but these protocols have proven easy to defeat and public Wi-Fi like at a coffee shop, library, or airport uses none of the above. Sites can add encryption by using the HTTPS protocol rather than HTTP, but only login pages tend to require HTTPS (so that usernames and passwords are protected).
Because a site will set cookies to authenticate you after you log in, an attacker could just capture your cookies when you visit an unencrypted, non-login page then break into your account with them. This attack is called “session hijacking” or “sidejacking”.
Sidejacking drew mainstream attention when Firesheep came out. Since then, things have gotten better and worse.
On one hand, a larger chunk of wireless networks support encryption and the stronger WPA2 protocol in particular. Google and Twitter started to switch HTTPS on by default and Facebook on optionally (although lots of major social sites including YouTube, Yahoo, and LinkedIn still have minimal HTTPS coverage).
On the other hand, the shift to “cloud computing” has changed the makeup of the web. The advertising, analytics, content, and social business of sites is being passed onto third-party services, creating a new and increasing attack vector for the bad guys to exploit.
A new attack vector
Last year, I gave a talk at the DEF CON security convention about the prevalence and consequences of social widgets. My research indicated widgets from facebook.com could be found on 33 percent of the top 1,000 sites, from google.com on 25 percent, and from twitter.com on 20 percent.
According to BuiltWith, which unsurprisingly tracks what technologies sites are built with, Facebook Like buttons are up 63 percent in popularity year over year across the top 10,000 sites, Google +1 buttons up 33 percent, and Twitter Tweet buttons up 35 percent. (I aggregated widgets by domain and BuiltWith doesn’t, so comparing my numbers to theirs is fruitless except to suggest widget integration is trending up and to the right).
At DEF CON, I walked through the privacy pitfalls of social widgets. But in light of their expanding footprint, widgets also turn out to have a serious security pitfall.
You used to be able to avoid getting sidejacked by not going to sensitive sites when connected to public Wi-Fi or an otherwise insecure network. Now, widgets are part of so many sites that the threat has been spread all over the web.
Besides being widespread, widgets are usually embedded without HTTPS and unencrypted widgets leak your cookies the same way unencrypted pages do. I.e., your accounts on Facebook, Google, et cetera can be hijacked through social widgets even without you going to these sites.
An attacker could, for example, take control of your Facebook, YouTube, and LinkedIn accounts if you view nothing but a TechCrunch page (such as this one this one). As an analogue to sidejacking, we call this attack “widgetjacking”.
We put the video above together to show how the attack can be done and how a security feature we’re releasing in Disconnect works to defend against an attack. We tried to fully disclose the vulnerability without creating a tutorial for would-be attackers by leaving some bits out of the video and we don’t recommend reconstructing the attack yourself except with consent (in the United States, at least, intercepting Wi-Fi signals may be considered wiretapping.)
The “Secure Wi-Fi” feature will upgrade the major sites in Disconnect and their widgets to HTTPS whenever possible so your data is encrypted. See the video and our FAQs to get details and see our homepage to get Disconnect and the security feature for Chrome, Firefox, or Safari.
Firesheep’s developer wrote that “websites have a responsibility to protect the people who depend on their services” by enabling HTTPS and that “they’ve been ignoring this responsibility for too long”. Two years later, there aren’t good arguments against HTTPS anymore, social widgets are putting users at greater risk, and HTTPS is overdue to be made the default.
Update (November 20, 2012): We rolled “Secure Wi-Fi” for Safari back due to a performance bug on startup. We should have a fix to push soon, so make sure you’re autoupdating as per this FAQ.Posted by Brian Kennish