A new open-source extension for the Firefox web browser highlights a big security problem that many popular websites have. It allows anyone to access other peoples’ accounts for many popular websites while they are being used through a WiFi network.
Firesheep is a free program that allows a person access to anyone’s personal information connected to the same wireless network.
Eric Butler, the freelance web application and software developer who created Firesheep, said on his website codebutler.com that he didn’t create the program to encourage people to access other peoples’ accounts. He created it and made it free to highlight the security problems that many popular websites have.
“This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users,” his website says. “The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL.”
The easy-to-use interface of the application is accessible to anyone, not just those with extensive computer knowledge. All it requires is a quick download, installation and then all the information appears in a sidebar complete with picture and site information.
Information Security Analyst at Eastern Michigan University, Justin Sherenco, said this capability is nothing new.
“It’s a little troubling, but the ability to do this has always been possible,” Sherenco said. “Now it’s just been made more accessible.”
With more than 10,000 downloads in just a few short months, Firesheep poses a huge threat to an individual’s privacy on popular websites like Facebook, Twitter and Flickr.
“We’re not actively monitoring [Firesheep] because it’s just too hard to trace it,” Sherenco said. “There is always a risk to using public WiFi. The responsibility is placed both on the website being used and on the user.”
When logging into Facebook, Myspace, or Twitter, a website generally requires a login name and password to verify that a user has an account on the server. When a person does this, their web-browser downloads a “cookie” which contains small bits of text with encrypted information on it.
While virtually every website encrypts their logins, they fail to encrypt everything else which results in the cookie and the user open to exploitation. HTTP Session Jacking or “sidejacking” is what happens when a person gets a hold of a users cookie and uses the information to gain entrance to their account.
While many websites introduce enhanced privacy features in an effort to protect their users, there seems to be very little point if a person can just take absolute control of an account.
Even though its been made far easier now for people to sidejack peoples’ accounts, there are still many preventive measures one can take. Extensions like Sheepherder and Blacksheep block such attacks and are available directly from Mozilla.com.
While there is no guarantee of safety while using public internet, many websites, like Google, have already updated their security by using HTTPS, which encrypts everything past the initial login page. It now remains only a matter of time before Facebook and other websites follow Google’s lead. Until then it is the responsibility of the users to guard their own privacy.