Firesheep exposes gaping Wi-Fi security holes

October 25, 2010 By Molly McHugh

Firesheep takes the technical skill out of hijacking a Wi-Fi session, making it possible for strangers to infiltrate everything from Facebook to Yahoo accounts on public networks.

In case you weren’t already weary of Internet security plagues, here’s a new one for you. Firesheep, a downloadable extension for Firefox, can now make it more than possible for someone to take over your Wi-Fi session. It makes it really easy.

Once installed, a person can hijack your Wi-Fi session, including the ability to access Twitter, Facebook, WordPress, and Amazon accounts, among others.

Who’s responsible for this? Software developer Eric Butler says he created the app in order to show the masses how easy it is for their accounts to be highjacked over a Wi-Fi connection. And if you were already aware of this, he is simply confirming it for you.

On his blog, Butler explains the simplicity of Firesheep. “It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable.” Butler has made the add-on openly available and very simple to download and use – so anyone with a Wi-Fi connection and a strong sense of curiosity can easily try it out.

Wi-Fi security isn’t a new issue. Concern about accessing secure information over a public connection has been loudly voiced, but the effortlessness and availability of Firesheep makes it easy to use by anyone, even those with little to no technical knowledge.

Butler insists his motives are pure, that website security needs to acknowledge these holes and fix them before more people like him won’t exploit them.

Showing 5 comments

Natalie at 3:56pm 27th October 2010 Debian - I audit government programs for a living. There aren't enough intelligent people working for the government for them to pull data into any sort of meaningful form. If there were, we wouldn't have medicare fraud or as much fraud in all of the other government funded programs.
Adrin at 1:30pm 27th October 2010 Free Yahoo email is an example of this. Once you log in you are back to http and not https. There are a number of websites that once you hijack the URL, you can log in as that person anytime you want. Even if they change their password.
john at 6:47am 26th October 2010 If the information were that sensitive, then the site would/should be using https anyway. If you put sensitive info on your FB account you are just asking for it anyway. lol
Debian at 9:44pm 25th October 2010 Stop using facebook. Stop using Twitter. Stop using MySpace. Delete all of your account and personal information from these websites. Don't all you sheeple know that DARPA is building a citizen database, and every personal message, tweet, status update is on the permanent record? If you use any of these services, you are being an "enabler" of government data mining and spying. Put down your smartphone. Disable the GPS/Location tracker. Smash it with a hammer. Go off the grid.
1. Dan23 at 3:29pm 14th November 2010 Hahahahahaha...... "the government is watching me play farmville!!!" And did you honestly use the word "sheeple"? Hahahahahahaha..... But wait! I must be in on the conspiracy theory!