What is Widget Jacking?
When a web page displays social media widgets, such as a Facebook like button, your computer sends a cookie that can be intercepted (jacked) and used to gain access to your social media accounts, even when you are not logged in. When this happens it is known as widget jacking.
How it works
When you last logged into a social media website a cookie was saved on your computer that contains information about you and your social media account. This cookie contains useful information to anyone that would like to gain access to your account.
Most social media web sites enforce the use of a secure connection (HTTPS) when you log in so the sending and updating of this cookie is over a secure connection using encryption.
The problem is that to encourage traffic to these social media sites the use of 'widgets' has emerged. These social media widgets look like small buttons that anyone can put on their website. They come in many forms such as a Facebook like, Twitter re-tweet, LinkedIn like or Google +1 button.
When you surf to a web site that displays these buttons in your web browser, the displaying of these buttons is also connecting you to the social media sites via a non-secure (HTTP) connection and your web browser looks to see if you have any cookies for these sites. If you do, it sends them unencrypted across the internet.
If you are surfing from home over a wired connection then there is less risk of your cookie becoming jacked, but it is still possible. However, if you are surfing over a wireless connection, especially if you are in a public place such as a cafe with free wifi, then it is very easy for someone to see your cookie being transmitted and to grab it using a tool such as WireShark.
How to avoid widget jacking
Never surf the web while remaining logged into a social media web site unless you are using extra protection such as the NOSCRIPT plug-in for Firefox or disconnect.me for other web browsers.
After you have logged out of your social media account run a tool such as CleanUp! to erase all your surfing history and all the cookies from your computer. That way if you then surf the web and view web sites that display any social media widgets then you are not susceptible to widget jacking.
If you have any feedback regarding this article, or you have a suggestion for a new article, or just want to say thanks for the info then feel free to drop me an email at firstname.lastname@example.org.
Article date: 3rd March 2013