Firesheep: A Firefox Extension That Lets Anyone Hack Your Social Media Accounts
Software developer Eric Butler created a Firefox extension, Firesheep, that allows anyone to log into anyone else’s social media accounts so long as both parties are connected to an unsecured wireless network. Luckily, TechCrunch reader Steve Manuel claims to have found a way to combat Firesheep by using another Firefox extension, Force-TLS.
The way Firesheep works is actually pretty simple: If both parties are connected to an unsecured WiFi spot, such as a coffee shop’s free WiFi, the Firefox extension waits around for people to log into their social media accounts, then basically rips the users’ cookies out of the WiFi, which contains everything required to log into various social media sites. The extension is even user-friendly, as the user interace (shown above) organizes captured account information and allows Firesheep users to simply click on which account they’d like to seize.
Update: The creator of Firesheep says that over 129,000 copies were downloaded in the first day.
The security vulnerability apparently lies in how social media sites don’t encrypt anything that follows the login process, allowing Firesheep to rip the cookie that contains the login information sometime after the victim has logged in. According to Eric Butler, he didn’t release the extension as a means to cause chaos amongst social media users, but as a means to show social media companies that the way they protect information isn’t close to good enough:
Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.
TechCrunch has a fairly simple step-by-step guide that explains how to protect against Firesheep, so head on over there if you’re of the type to frequently log into your social media accounts through public WiFi connections.
Have a tip we should know? firstname.lastname@example.org