Firefox add-on allows easy hacking of Facebook, Twitter and Flickr

A new Firefox add-on could allow even the most inexperienced of hackers to tap into your Facebook or email accounts via an unsecured public Wi-Fi network.

Dubbed ''Firesheep'', the add-on takes advantage of a technique known as ''HTTP session hijacking'', also known as "sidejacking". Using Firesheep is as simple as installing the add-on, connecting to an open WiFi network, opening a sidebar and clicking a button.

As soon as another user on the network visits an insecure website, their details appear in the sidebar. Just a double-click later, and the Firesheep user is logged in as someone else, and free to do as they please.

Vulnerable sites include Facebook, Flickr and Twitter.

The trick, according to Firesheep creator Eric Butler, lies in cookies, small files stored on users' computers by most websites and used to store a bevy of information ranging from usernames and passwords to shopping cart contents. On an open WiFi network, cookies are sent ''in the clear'' or without any kind of protection, allowing add-ons like Firesheep to grab them and impersonate other users.

In a statement on his website, Mr Butler said he created the add-on in the hope that website owners would take their users' security more seriously.

''Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win,'' he said.

He said the only way to prevent the kind of attack leveraged by Firesheep is end-to-end encryption, though one enterprising student from Iceland has created FireShepherd, a Windows-only program that floods a wireless network with packets, preventing Firesheep from working.

Facebook has indicated they hope to offer encryption to users in coming months, while Twitter and Flickr did not respond to emails requesting comment.

Report a problem with article
Previous Story

Death by digital looming for print publications

Next Story

I tossed my cell phone into a bowl of water...

23 Comments

Commenting is disabled on this article.

seems to work OTA, not wired connections. unless its completely disfunctional on my private network. I can't capture a single login for any social networking site.

I know, when heard about this on security now I was shocked, I hadn't read about it on Neowin. Not even a word. Apparently last week this was the hot story.

Nashy said,
Umm.. awesome. Go Neowin, share it with the world...

This has been widely reported some time ago. Nothing Neowin reports now has anything new really.

Aside from the fact this happened a week ago...

I took this to a mall, turned it on, collected 85 logins in like 30 mins, i was like dear god...and now i vpn everywhere i go

Man!

Not yet another great reason to stay away from these socially diseased sites?! They are all just to wide open for anything to happen.

cork1958 said,
Man!

Not yet another great reason to stay away from these socially diseased sites?! They are all just to wide open for anything to happen.


that just some example but most website you visit will have this kind of problem

cork1958 said,
Man!

Not yet another great reason to stay away from these socially diseased sites?! They are all just to wide open for anything to happen.

That has nothing to do with it. It's all about open wifi and whether or not the site you are logging into keeps you in an SSL security connection after you log into the site.

Neobond said,
This would surely affect people using free wifi at places like Starbucks & Mc'D?

yup

For people trying this out, note that hijacking user accounts is a criminal offense.

Also, FireShepherd exploits a bug in FireSheep IIRC, so it can possibly be fixed in the future. Not that I'm sure the FireSheep author cares for that -- I think he was more interested in stating an example than keeping an exploit updated. Someone may fork the FireSheep code though.