A small-time Web developer in Seattle has built an easy-to-use software program that allows users to hack into other people's Facebook accounts. The program is called Firesheep and it exists as a Firefox add-on. It gives users full access to other people's accounts, including pictures, wall posts and messages. Amazon, Windows Live, Twitter and scores of other sites are also vulnerable to Firesheep. Once the add-on is downloaded, it just takes three say steps:
On his blog Eric Bulter, the software's creator, said he built Firesheep to send an important message:
Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.
Here's what tech bloggers are finding out about Firesheep and what users can do to protect themselves:
- Here's How It Works, explains Evelyn Rusli at TechCrunch:
If a site is not secure, it keeps track of you through a cookie (more formally referenced as a session) which contains identifying information for that website. The tool effectively grabs these cookies and lets you masquerade as the user.
Apparently many social network sites are not secured, beyond the big two, Foursquare, Gowalla are also vulnerable. Moreover, to give you a sense of Firesheep’s scope, the extension is built to identify cookies from Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, Yelp. And that’s just the default setting— anyone can write their own plugins, according to the post.
- This Is a Big Problem for Websites, writes Darlene Storm at Computer World:
Although many websites give lip service about how important their users' privacy and security is to them, very few have their entire site encrypted with HTTPS. Most sites encrypt the username and password during the login process, but most of those sites stop encrypting and protecting the user right there. As soon as a user moves on to a regular HTTP page on the site, an attacker can sniff and capture the user's cookie information.
- Many People Now Have the Power, writes Evelyn Rusli at TechCrunch: "Within an hour of Butler’s post appearing on Hacker News, Firesheep was downloaded more than 1,000 times and evidence of usage has already popped up on Twitter in fantastic fashion."
- How to Protect Yourself Mike Melanson at Read Write Web explains:
TechCrunch pointed to Force-TLS as a potential solution. The Firefox extension allows you to force sites like Twitter or Facebook to use HTTPS.... Many, however, pointed out that the most secure route is to set up a VPN (virtual private network) for whenever you access the Internet using unsecured wireless. Others pointed to an SSH (secure shell), which allows the secure transfer of information. At the same time, other commenters pointed out ways that these too might not be secure.
- 'Sidejacking' Does Have Its Limits Though, points out Ian Paul at PC World:
There's no question that Firesheep highlights an important Web browsing security flaw that could expose your account to a malicious hacker. But it's also important to keep in mind that sidejacking has its limits. Using Firesheep is not likely to expose your user password. So a hacker may be able to use Firesheep to take action on your behalf such as send an e-mail, post a status update, or send out a tweet. But it's unlikely that Firesheep could be used to steal your account by switching your password on you. Unless, of course, you are using a service that lets you change your password without entering the current one--a rare occurrence these days.
- Certain Networks Are More Dangerous Than Others, writes Ryan Tate at Gawker: "If your local cafe uses WPA encyrption on the router, you'd almost certainly be fine. The vulnerable networks are those that are totally open, as well as, possibly, networks that use the weak WEP password system. You'll typically see these types of vulnerable networks in college dormitories, cafes and restaurants, or at other businesses that never bothered to modernize their wireless infrastructure."
- I Applaud This Stunt, writes Mike Melanson at Read Write Web: "It seems that Butler has a valid point and maybe, only through making the insecurities this glaringly obvious, will the big social networks - with which we share all our daily minutiae - change their insecure ways."