Yesterday, we wrote about the Firesheep extension for Firefox, which brought session hijacking to the masses. Ostensibly a tool to highlight the unencrypted session handling employed by many popular websites, its user-friendliness allows novices to sniff out and hijack sessions that are not protected by SSL.
Unsurprisingly, the newfound simplicity of launching these session hijacking attacks kicked up quite a fuss on Twitter, and Firesheep received over 100,000 downloads overnight.
In response to the rapid uptake of Firesheep, Jonty Wareing has just released a somewhat different tool called Idiocy. This acts as “a warning shot to people browsing the internet insecurely” by sniffing network traffic to see if anyone is visiting the Twitter website over an unencrypted HTTP connection; and if they are, it will hijack the session and automatically post a tweet to warn them that they are vulnerable. The tweets helpfully include a link to a page which explains what happened, and how to prevent it happening in the future.
So rather than allowing anybody to exploit session hijacking for malign purposes, this tool tells the ‘victim’ how to browse more safely. The code and documentation for Idiocy is available from Jonty’s GitHub repository.