Firesheep In Wolves' Clothing: Extension Lets You Hack Into Twitter, Facebook Accounts Easily

It seems like every time Facebook amends its privacy policy, the web is up in arms. The truth is, Facebook’s well publicized privacy fight is nothing compared to the vulnerability of all unsecured HTTP sites — that includes Facebook, Twitter and many of the web’s most popular destinations.

Developer Eric Butler has exposed the soft underbelly of the web with his new Firefox extension, Firesheep, which will let you essentially eavesdrop on any open Wi-Fi network and capture users’ cookies.

As Butler explains in his post, “As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed” in the window. All you have to do is double click on their name and open sesame, you will be able to log into that user’s site with their credentials.

One word: wow.

It’s not hard to comprehend the far-reaching ramifications of this tool. Anytime you’re using an open Wi-Fi connection, anyone can swiftly access some of your most private, personal information and correspondence (i.e. direct messages, Facebook mail/chat)— at the click of a button. And you will have no idea.

This is how it works. If a site is not secure, it keeps track of you through a cookie (more formally referenced as a session) which contains identifying information for that website. The tool effectively grabs these cookies and lets you masquerade as the user.

Apparently many social network sites are not secured, beyond the big two, Foursquare, Gowalla are also vulnerable. Moreover, to give you a sense of Firesheep’s scope, the extension is built to identify cookies from Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, Yelp. And that’s just the default setting— anyone can write their own plugins, according to the post.

Within an hour of Butler’s post appearing on Hacker News, Firesheep was downloaded more than 1,000 times and evidence of usage has already popped up on Twitter in fantastic fashion. (Disclaimer: At the time of this post, I was not in a public setting and could not fully exploit the extension, however several users have reported success.)


(I had to pull one Tweet down at the request of the user, who had hacked into someone’s Twitter account).


Thanks to Bensign, aka Ben Schaechter (former TechCrunch developer) for the tip.

According to Butler’s post, he created this seemingly diabolical tool to expose the severe lack of security on the web. We spend so much time quibbling over the minutia in privacy policies, we lose sight of the forest, or in this case, gaping security holes.

“Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win,” Butler says.

Update: A TechCrunch reader has discovered a Firefox extension that can prevent Firesheep from accessing your login information.
(Teaser Image: Flickr/David Makes)

Second Update: Here’s Facebook’s official statement on the matter:We have been making progress testing SSL access across Facebook and hope to provide it as an option in the coming months. As always, we advise people to use caution when sending or receiving information over unsecured Wi-Fi networks. This tip and others can be found on the Facebook Security Page.

The FTC’s OnGuardOnline.gov website also advises people about this :

Be careful about the information you access or send from a public wireless network. To be on the safe side, you may want to assume that other people can access any information you see or send over a public wireless network. Unless you can verify that a hot spot has effective security measures in place, it may be best to avoid sending or receiving sensitive information over that network.

Additional points:

-Facebook logins are always encrypted (more info here: http://www.facebook.com/help/?faq=15504).
-We offer a session control feature that allows people to view all of their active Facebook sessions (including those on unsecured networks) and close any they no longer want open. This helps if you forget to log out on another device or network. More info here.