Firefox Extension Firesheep Puts Website Login Info at Risk

Firefox extension Firesheep exposes Facebook, Twitter login information.

ByABC News
October 25, 2010, 11:05 AM

Oct. 25, 2010— -- You might want to think twice before logging into Facebook , Twitter or countless other websites from an open Wi-Fi network.

According to Seattle-based software developer Eric Butler, if you sign into some of the Web's most popular site's through unsecured Wi-Fi networks (such as those available at airports and coffee shops), hackers could easily spy on you and steal your password information.

To show Internet users and websites the severity of this privacy hole, Butler created a free Firefox Web browser extension that, once downloaded, lets users hijack others' user information themselves.

Called Firesheep, the program lets users see who is connecting to the Internet through an unsecured Wi-Fi network. Once someone connects to an open Wi-Fi network, the program shows the person's name and photograph.

Just double-click on someone's name and - voila! – you're instantaneously signed in as them. If a person is using Facebook over an unsecured WI-Fi network, with Firesheep's help, you could go into their account, change their password, check out their profile, interact with their friends and more.

Butler did not immediately respond to a request for comment from ABCNews.com. But in a blog post on Firesheep, he said the program exploits a security flaw related to browser cookies.

When a user signs into a website with a username and password, the server searches for an account that matches the information. Once the server finds the matching account, it sends the user a cookie that the Web browser uses for the rest of the online session. But though the initial login is encrypted by the website, everything that follows is not, Butler said.

Over public Wi-Fi networks, hackers can easily use the unprotected cookies to spy on the connection and sniff out login information, he said.

"This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL," Butler said. Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win."