Whenever you connect to an unsecured WiFi network, you’re taking a chance, but now it’s easier than ever for someone to gain access to all of your social network login information. A new Firefox extension called Firesheep makes it simple for anyone to see that you’re connected to the network, grab your login information for any number of social networks, and take over your online identity.
Without this, hacking your account over an unsecured wireless network may not be rocket science, but it surely isn’t the one-click magic made possible by Firesheep.
Firesheep takes advantage of unsecured wireless networks and unencrypted cookies to “sidejack”, or gain access to sites by way of accessing these cookies. Developed by Eric Butler, a freelance web application and software developer in Seattle, Washington, Firesheep was created and released at Toorcon 12 to demonstrate the security risk inherent in storing unencrypted login data in cookies. As Butler writes on his blog, “On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.”
Firesheep opens a sidebar in Firefox that shows everyone who is connected to a certain unsecured WiFi network. With a single click, you can connect to most any social network using that person’s user name and password.
By making it this easy to hack other users accounts, Butler says that he is hoping the extension will force major sites like Twitter or Facebook to act responsibly and protect their users.
“Websites have a responsibility to protect the people who depend on their services,” writes Butler. “They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.”
Earlier today, TechCrunch pointed to Force-TLS as a potential solution. The Firefox extension allows you to force sites like Twitter or Facebook to use HTTPS. In the comments, users also pointed to a Chrome extension that has similar functionality. Many, however, pointed out that the most secure route is to set up a VPN (virtual private network) for whenever you access the Internet using unsecured wireless. Others pointed to an SSH (secure shell), which allows the secure transfer of information. At the same time, other commenters pointed out ways that these too might not be secure.
It seems that Butler has a valid point and maybe, only through making the insecurities this glaringly obvious, will the big social networks – with which we share all our daily minutiae – change their insecure ways.