A new Firefox add-on could allow even the most inexperienced of hackers to tap into your Facebook or email accounts via an unsecured public Wi-Fi network.
Dubbed ”Firesheep”, the add-on takes advantage of a technique known as ”HTTP session hijacking”, also known as “sidejacking”. Using Firesheep is as simple as installing the add-on, connecting to an open WiFi network, opening a sidebar and clicking a button.
As soon as another user on the network visits an insecure website, their details appear in the sidebar. Just a double-click later, and the Firesheep user is logged in as someone else, and free to do as they please.
Vulnerable sites include Facebook, Flickr and Twitter.
The trick, according to Firesheep creator Eric Butler, lies in cookies, small files stored on users’ computers by most websites and used to store a bevy of information ranging from usernames and passwords to shopping cart contents. On an open WiFi network, cookies are sent ”in the clear” or without any kind of protection, allowing add-ons like Firesheep to grab them and impersonate other users.
In a statement on his website, Mr Butler said he created the add-on in the hope that website owners would take their users’ security more seriously.
”Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win,” he said.
He said the only way to prevent the kind of attack leveraged by Firesheep is end-to-end encryption, though one enterprising student from Iceland has created FireShepherd, a Windows-only program that floods a wireless network with packets, preventing Firesheep from working.
Facebook has indicated they hope to offer encryption to users in coming months, while Twitter and Flickr did not respond to emails requesting comment.