Firefox Extension Firesheep Puts Website Login Info at Risk
Firefox extension Firesheep exposes Facebook, Twitter login information.
Oct. 25, 2010 -- You might want to think twice before logging into Facebook , Twitter or countless other websites from an open Wi-Fi network.
According to Seattle-based software developer Eric Butler, if you sign into some of the Web's most popular site's through unsecured Wi-Fi networks (such as those available at airports and coffee shops), hackers could easily spy on you and steal your password information.
To show Internet users and websites the severity of this privacy hole, Butler created a free Firefox Web browser extension that, once downloaded, lets users hijack others' user information themselves.
Called Firesheep, the program lets users see who is connecting to the Internet through an unsecured Wi-Fi network. Once someone connects to an open Wi-Fi network, the program shows the person's name and photograph.
Just double-click on someone's name and - voila! – you're instantaneously signed in as them. If a person is using Facebook over an unsecured WI-Fi network, with Firesheep's help, you could go into their account, change their password, check out their profile, interact with their friends and more.
Firesheep Exposes Facebook, Twitter Login Over Open Wi-Fi Networks
Butler did not immediately respond to a request for comment from ABCNews.com. But in a blog post on Firesheep, he said the program exploits a security flaw related to browser cookies.
When a user signs into a website with a username and password, the server searches for an account that matches the information. Once the server finds the matching account, it sends the user a cookie that the Web browser uses for the rest of the online session. But though the initial login is encrypted by the website, everything that follows is not, Butler said.
Over public Wi-Fi networks, hackers can easily use the unprotected cookies to spy on the connection and sniff out login information, he said.
"This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL," Butler said. Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win."
Security Expert: Public Wi-Fi Like Public Restrooms
Aaron Higbee, co-founder and chief technology officer of security firm Intrepidus Group, said Firesheep highlights the risks associated with public Wi-Fi networks.
"I equate public Wi-Fi to a public restroom," he said. "You never know what you're going to catch and you only use it if you absolutely have to."
Open Wi-Fi hotspots may be convenient for on-the-go Internet users but, he said, most consumers probably don't realize that when they connect to an open Wi-Fi network that does not have encryption, they're basically broadcasting their online session to everyone within listening distance.
Hackers could eavesdrop on these connections before Firesheep, but with the new program, this kind of online spying is easier than ever for a layperson, he said.
"Sometimes, that's what it takes for people to realize this is something… to be concerned about," he said. If you plan to use a public Wi-Fi network to connect to your e-mail or social networking account, or other sites that require authentication, Higbee recommends using a VPN (or virtual private network) application that protects a user's Internet session.
Use VPN Applications If Connecting Over Public Wi-Fi
If you use a work laptop, chances are your office has provided one for you to use. And if you primarily use a personal laptop in transit, Higbee said it might make sense to use a low-cost (or free) VPN program that costs about $5 a month.
Instead of using public Wi-Fi, he also suggested tethering your laptop to your smartphone (assuming it allows tethering) and using the phone's data plan to connect to the Internet.
The 3G connection may not be as fast as a Wi-Fi connection, but it's much safer, he said.
As for the websites themselves, while Higbee said he understands that it's not a "trivial undertaking" to encrypt an entire Internet session, he said that, at minimum, sites could notify users if others were using their cookies or potentially eavesdropping on their activity. Some applications, such as AOL Instant Messenger and Gmail already employ similar safeguards.
"They absolutely could do that and put that warning in front of somebody," he said.
Firefox Extension Force PLS Could Protect Users From Firesheep Exploit
Steve Manuel, a senior at the University of Southern California, said that after reading about Firesheep on the technology blog TechCrunch, he found one possible way to protect users from Firesheep hackers.
"I searched around for any tools that would force you to go to the secure version of that website," he said.
Manuel said he found another Firefox extension called Force-TLS which, once downloaded, automatically takes a user from an unsecure website (http) to the secure version of the same site (https).
By default, Web browsers take users to unsecure websites because they're faster to load than the secure version and, usually, safe enough for an Internet session.
But in environments where Internet sessions may be open to eavesdropping, the secure version adds a layer of protection by encrypting information flowing between the user and the website.
Not every website includes a secure version and Internet users should be careful about the kinds of information they exchange over a public Internet network, but Manuel said it seems that the Force-TLS extension should protect users accessing well-known websites like Facebook, Twitter and Google.