Be careful this Affiliate Summit when using WiFi. The affiliate accounts at many major networks vulnerable to being hijacked by Firesheep, which means your account could be quite easily compromised. This vulnerability was recently demonstrated on popular sites such as Twitter and Facebook, but we have tested and found several affiliate networks vulnerable as well.
In fact, it is very easy for an unsophisticated attacker to take control of many affiliate accounts you access over WiFi while at Affiliate Summit.
Since being featured on TechCrunch, Firesheep has been downloaded over a million times. For those that aren't familiar with Firesheep, it is a Firefox extension that makes it dead-simple to take control of many web accounts belonging to other users on the same network without the compromised users' knowledge.
While the exploit Firesheep uses isn't new, it brings account hijacking out of the realm of the hacker and makes it easy for just about anyone. In practice, tools like Firesheep are the most dangerous when large groups of people with predictable web interests gather in one location and use shared Internet connections.
Such as, well, Affiliate Summit.
In fact, nearly every major Internet conference since the TechCrunch article has had reports of Firesheep usage (there is a Firefox extension that can detect if someone on the network is using Firesheep).
What could an attacker really do?
We examined six well-known affiliate networks. Three of them were well-protected against Firesheep (Commission Junction, Google Affiliate Network and Buy.at). The other three were, unfortunately, nearly completely vulnerable. On the vulnerable networks, we were able to:
- Change or setup direct deposit accounts. On all three networks we were able to change the bank account that direct deposits were sent to.
- Change passwords. We were able to change account passwords on two of the three networks.
- Read existing passwords. On one network, we could even read the account's existing password. The implications are alarming for users who share passwords.
- Join Programs. On all the networks, we could pretty much engage in any regular business, such as join programs, leave programs, etc.
- Approve affiliates. We even tested the merchant interfaces for the networks and found them to be similarly vulnerable.
Of course, the vulnerable networks probably have additional checks for suspicious behavior, so simply changing a bank account doesn't ensure the attacker would be able to successfully receive payments to their account, but would you want to risk it?
How do you protect yourself?
Your best bet is to avoid using WiFi connections to access sensitive accounts that do not require SSL connections. Note that even if the wireless network is encrypted, you are only safe if you trust everyone connected to the network. This means that an exhibition hall, hotel, or coffee shop that uses a "secure" WiFi with a shared password does you no good. Exploits currently exist to intercept traffic on every form of wifi connection (encrypted or otherwise). Even shared wired networks are vulnerable.
If you absolutely must login to your affiliate accounts (or Facebook or Twitter for that matter) and you must do it over a wifi connection we recommend you use HTTPS Everywhere, a Firefox extension that forces HTTPS connections at many known sites (we do NOT recommend Force TLS*). HTTPS Everywhere doesn't include out-of-the box support for affiliate networks, but we quickly put together a Ruleset that you can use to force SSL connections on the vulnerable websites. You can download the file here, and you'll want to review EFF's instructions for where to place the file. We've lightly tested the file and it seems to work correctly, but you'll be using it at your own risk.
*Force TLS is another popularly recommended Firefox extension, but we found it left one of the networks exposed so we suggest you skip it.
BrandVerity isn't vulnerable!
We're happy to report that you may comfortably use your BrandVerity account on any type of connection as we are not vulnerable to session hijacking exploits.