877 MY NERDS

Easily protect yourself from widget jacking

Do you roam with your laptop? Do you use hotspots or guest wireless networks? If you answered yes to both of these questions, then you need to read this. I know what you’re thinking: Another security issue I have to worry about? Everything I’ve done to keep my computer safe still isn’t good enough?

Image courtesy FreeDigitalPhotos.net

Image courtesy FreeDigitalPhotos.net


Not so long ago that we learned of Firesheep, a Firefox extension that easily hijacks strangers’ Facebook accounts who are on the same wireless network as the attacker, like at a coffee shop offering free WiFi. While the creation of Firesheep created a good deal of controversy, nobody argues that it brought necessary security awareness to users of websites and providers alike. With the rapid growth and adoption of smartphones, tablets and the continued growth of notebooks in public areas, we all need to be aware of associated security risks with taking your digital exchanges to the public airwaves.

As Firesheep downloads kept on increasing – and surely a lot of Facebook accounts were indeed compromised – Facebook responded by tightening the security settings and offered an option under Account Security like this:

Screen Shot to enable Facebook SSL

Screen Shot to enable Facebook SSL

What Facebook did was to SSL-secure their users’ browsing (or at least provided them an option to do so).

Widget jacking is a logical evolution of the way Firesheep hijacked Facebook users. While Facebook was able to respond with security upgrades on its own website, they have no control of the code behind other website owners such as websites that embed “Likes” links. Those links are embedded lines of code called Widgets. Those widgets have never been secured with SSL, making users vulnerable once again to potential hijacking over the airwaves.

We are using Facebook as an ongoing example here, but the weakness is there for all social media widgets including Twitter, Pinterest, Youtube, etc. Even our own blog includes such widgets.

The good news is that you can protect yourself from widget jacking very easily by following these steps:

  1. From your laptop’s browser visit www.disconnect.me

  2. Click on the Get Disconnect button that looks like this:
    Screen Shot 2013-01-10 at 9.07.39 PM

  3. Follow the on-screen instructions and restart your browser


The above browser extension is free and available to Firefox, Chrome and Safari. Your public hotspot visits are now safe from social media widget jacking! Enjoy.

Tags: , , ,

2 Responses to “Easily protect yourself from widget jacking”

  1. Jean-Guy January 11, 2013 at 2:01 pm #

    Tried to get it but web page is grayed out and won’t download.
    Did i miss something?

  2. Kevin January 11, 2013 at 11:23 pm #

    Hi Jean-Guy,

    Disconnect.me is greyed out for you, or do you get a greyed out page when you click the “get disconnect” button? Also, to be clear, you’re using Firefox?

Leave a Reply