Video & Analysis | Huge Security Hole Puts Coffee Shop Web Surfers at Significant Risk
Unskilled hackers at your local coffee shop can gain complete access to your Facebook account as well as other online services with a simple mouse click. Fixing the problem is easy but many people haven’t implemented it, surfing away completely unaware of how vulnerable they may be to a cyber intrusion.
Public hotspots are essentially mini broadcast towers transmitting radio signals to your computer. Like a radio, every computer connected to the hot spot has access to everything being transmitted. Your computer only looks for data “packets” that are specifically addressed to it.
Facebook and most other websites work by initially requiring a password to log in. Following the password submission, Facebook’s server sends back a file called a “cookie.” Once the cookie is on your system, Facebook no longer needs the password while navigating the site.
But — when using that coffee shop’s WIFI, your Facebook cookie also is transmitted in the air to every computer connected to shop’s hotspot. “Law abiding” computers and their users simply ignore packets of information that are not specifically directed to them. But it is possible, using very simple software available as a browser plugin, to “listen” for other people’s cookies and download the files. Since Facebook has no way of telling the difference between computers coming from the same location, anyone can assume your Facebook identity. A simple double-click is all it takes to assume another customer’s online identity.
Watch a video demonstrating the problem:
If that’s not scary enough, once your Facebook account has been compromised, the hacker also has access to all the other sites you may access through the Facebook interface. Hundreds of sites now accept a Facebook login instead of a separate username and password. One of those is Yahoo Mail, and we were able to log into our mail account with just the Facebook cookie we grabbed out of the air. This trick works with more than just Facebook. Hackers can view your previous Amazon purchases, and even take over a WordPress blog.
Fixing this problem doesn’t take much effort. In fact operators of public hotspots could address the vulnerability altogether by securing their services with WPA wireless encryption and a password. Even a WPA password as simple as “12345” would create individual secure “tunnels” for users on the network and would prevent a hacker’s ability to swipe cookies out of the air.
Until then, fixing Facebook is as simple as turning on secure browsing in the security section of your account settings page. If you’re not secured, Facebook may pop up a warning message from time to time with instructions as to how to secure your account.
Facebook is not the only service vulnerable to this hack. If you have to use a public hotspot, only use websites that allow you to browse securely. Secure sites always begin with https:// in your address bar, rather than http://.
Some sites already have taken steps to secure themselves and their users. Google’s email service now defaults all users to a secure connection. Facebook says they are working toward making the feature mandatory, but will require users to opt-in for the more secure service for the time being. Enabling encryption requires more server resources be made available for each user, and when multiplying that demand by hundreds of millions of users, it can be a major (and expensive) infrastructure upgrade.
“It is far from a simple task to build out this capability for the more than three-quarters of a billion people that use the site and retain the stability and speed we expect, but we are making progress daily toward this end,” the company said in statement.
CTTechJunkie has reached out to a number of establishments to find out why they have not enabled local encryption on their hotspots. None have returned our calls or emails at the time of this post.
Good security practices go beyond just the local coffee shop, however. You should also secure yourself at home by ensuring your home wireless is enabled with WPA or WPA2 encryption. A neighbor or anyone in vicinity of an unsecured access point in your home can run this same hack to access your personal information. When you’re away from home, think about tethering to your cellphone for Internet access and avoiding unencrypted public hotspots. If your cellphone uses WiFi to share its signal, be sure to secure that with WPA encryption too.
Have questions? We’ll answer them here and on our Facebook page.