Well, that was fast.
In roughly 24 hours, Firesheep has been downloaded more than 104,000 times, as would-be-hackers — or the merely curious— downloaded the Firefox extension to test the exploit.
As we reported on Sunday night, Eric Butler’s Firesheep allows users on a public Wi-Fi network to effectively spy on others, by giving Firesheep users access to sensitive information (via cookies) that lets them log into their victim’s accounts on unsecured sites. The Firesheep extension is wired to identify a few dozen popular sites that are vulnerable to attack on public networks, such as Twitter, Facebook, Flickr, Tumblr and Yelp.
On Monday night we got a chance to catch up with Butler, who has been pretty overwhelmed by the attention. Although he opened Pandora’s box expecting to spark controversy and discussion, he repeatedly asserts that his aim was fundamentally altruistic. Butler argues that this HTTP vulnerability was being exploited by moderately sophisticated hackers, and therefore, by making it dead simple to the average joe it would raise awareness and compel sites to raise the bar on security:
Firesheep was written over the course of a few months in spare time but really boils down to a few weeks of work. I originally thought of the idea three or four years ago, but didn’t start working on it until this year.
I went back and forth trying to predict what the reaction might be. Initially before Firesheep was completed I thought there might be moderate interest, but then after doing more research found a lot of one-off articles discussing this same issue that were essentially ignored. I certainly never expected Firesheep to be the #10 trending search on Google in the US. I’ve received a ton of great messages from people who are happy that this issue has finally received widespread attention, so after day one I’m happy with the result.
The attack that Firesheep demonstrates is easy to do using tools that have been available for years. Criminals already knew this, and I reject the notion that something like Firesheep turns otherwise innocent people evil.
Butler says he will release a new blog post in the next few hours that will help users protect themselves— apparently, he says, since the launch there has been significant misinformation floating on the web. We will update this post when it goes live. In the meantime, if you’re curious to learn more about the extension (without actually downloading it) Butler recommends this YouTube video:
UPDATE: Butler’s latest blog post is live, click here.