As Butler explains in his post, “As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed” in the window. All you have to do is double click on their name and open sesame, you will be able to log into that user’s site with their credentials.
One word: wow.
It’s not hard to comprehend the far-reaching ramifications of this tool. Anytime you’re using an open Wi-Fi connection, anyone can swiftly access some of your most private, personal information and correspondence (i.e. direct messages, Facebook mail/chat)— at the click of a button. And you will have no idea.
This is how it works. If a site is not secure, it keeps track of you through a cookie (more formally referenced as a session) which contains identifying information for that website. The tool effectively grabs these cookies and lets you masquerade as the user.
Apparently many social network sites are not secured, beyond the big two, Foursquare, Gowalla are also vulnerable. Moreover, to give you a sense of Firesheep’s scope, the extension is built to identify cookies from Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, Yelp. And that’s just the default setting— anyone can write their own plugins, according to the post.
Within an hour of Butler’s post appearing on Hacker News, Firesheep was downloaded more than 1,000 times and evidence of usage has already popped up on Twitter in fantastic fashion. (Disclaimer: At the time of this post, I was not in a public setting and could not fully exploit the extension, however several users have reported success.)
(I had to pull one Tweet down at the request of the user, who had hacked into someone’s Twitter account).
Thanks to Bensign, aka Ben Schaechter (former TechCrunch developer) for the tip.
According to Butler’s post, he created this seemingly diabolical tool to expose the severe lack of security on the web. We spend so much time quibbling over the minutia in privacy policies, we lose sight of the forest, or in this case, gaping security holes.
“Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win,” Butler says.
Update: A TechCrunch reader has discovered a Firefox extension that can prevent Firesheep from accessing your login information.
(Teaser Image: Flickr/David Makes)
0 0 1 1 0 0
Authors: Evelyn Rusli