One word: wow.
If a site is not secure, it keeps track of you through a cookie (more formally referenced as a session) which contains identifying information for that website. The tool effectively grabs these cookies and lets you masquerade as the user.
Apparently many social network sites are not secured, beyond the big two, Foursquare, Gowalla are also vulnerable. To give you a sense of Firesheep’s scope, the extension is built to identify cookies from Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, Yelp. And that’s just the default setting— anyone can also write their own plugins.
Within an hour of Butler’s post appearing on Hacker News, Firesheep was downloaded more than 1,000 times and evidence of usage is already popping up on Twitter in fantastic fashion.
(I had to pull one Tweet down at the request of the user, who had hacked into someone’s Twitter account).
Thanks to Bensign, aka Ben Schaechter (former TechCrunch developer) for the tip.
According to Butler’s post, he created this seemingly diabolical tool to expose the severe lack of security on the web. We spend so much time quibbling over the minutia in privacy policies, we lose sight of the forest, or in this case, gaping security holes.
“Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win,” Butler says.
8 8
Authors: Evelyn Rusli