This post is written by Jim Patterson, Director of Platform at Yammer.
This week a Firefox extension called FireSheep was released, which allows a malicious user on an open wireless network to hijack the web sessions of other users connected to the same wireless access points. It received widespread attention, and we had several inquiries from users about whether Yammer is susceptible to this kind of attack. We wanted to provide more information on FireSheep and confirm that Yammer is not vulnerable to it. FireSheep specifically targets social networking sites like Facebook and Twitter and takes advantage of the fact that while most sites encrypt your login credentials using HTTPS, the rest of the session as you are browsing is unencrypted. The tool “sniffs” out your session cookies from the wireless network and uses those cookies to impersonate you and hijack your session, which gives the attacker access to your account.
Although FireSheep was just released, this vulnerability isn’t new and has been known to exist for several years. Security researchers released a tool at the Black Hat Conference in 2007 that exploited the same hole to take control of a user’s Gmail account. Google responded by adding a setting to force HTTPS encryption for the entire session, however, this setting is not enabled by default.
Yammer, being an enterprise social network, requires HTTPS for all connections to our website, including our desktop, mobile and third party applications, for the full duration of the session. Fully encrypting your entire Yammer session protects your account from being hijacked by network sniffing tools like FireSheep.
To protect yourself while using consumer websites, here are some recommendations:
- Make sure all sensitive communication takes place over encrypted channels like a VPN or HTTPS.
- When surfing consumer sites from public wireless networks, use the HTTPS version of the site.
- Consider using a browser plugin like, Force-TLS, to force the encrypted version of the website when available.