A new 'plugin' program for the Firefox web browser has gotten the attention of a lot of people in the technology world recently. And that attention isn't exactly positive. The plugin, called Firesheep, turns the web browser into a powerful tool for eavesdropping on the allegedly "secure" web site sessions running on other computers on a a WiFi network.
Firesheep was created by Eric Butler, a software developer in Seattle, as a demonstration of how easy it is for malicious software to "sidejack" web sessions on a network—grabbing hold of the credentials of a user of Facebook, Google, or even commerce sites like Amazon, and masquerading as them. In just two minutes, I was able to install Firesheep on my laptop and start capturing web logins from other computers on my home network.
Here's how Firesheep works: When you log into a website, it creates a "cookie" with information identifying you and what you're doing on the site, and passes it back to your browser. If Firesheep is running on the same WiFi network as your computer, it sees the cookie coming back to your computer by looking at all the network traffic that passes by, and grabs the cookie itself. The person using Firesheep will then see the identity information pop up in a sidebar in their browser, and can connect to the website as you—posting Facebook updates, Twitter "tweets", and even looking through your Amazon account.
David Troy, a Baltimore-based software developer and angel investor, tested out Firesheep himself while flying from Washington to San Francisco. He was stunned by the results:
Within just a couple of minutes, I was able to impersonate 3 people on Facebook (updating their status, exploring friends, doing anything I wanted to – of course I didn't). Twitter is also at risk. So is Gmail. And so is Amazon.Access to Amazon is perhaps the most worrying. Once I realized I was in under someone else's Amazon account, I quickly shut down Firesheep: this is some scary stuff. What if I had changed the shipping address for the account and done a one-click order on a $10,000 watch or a $2,000 plasma TV?
I wasn't able to hack GMail using Firesheep – while I was able to capture a Google persona from another browser, I still got prompted for the password when trying to get into the account's GMail. Facebook was another story entirely—I was able to jump onto a test account I had logged into from another computer and start posting updates.
Butler defends Firesheep as a tool to show how insecure most allegedly secure websites are. " Firesheep was created to raise awareness about an existing and frequently ignored problem. As I've said before, I reject the notion that something like Firesheep turns otherwise innocent people evil," he wrote on his weblog. " Firesheep has brought a discussion about very important issues into the limelight. Censorship does not offer a solution to these underlying issues, and will only cause further problems."
Butler is right: those with evil intent don't need Firesheep to grab ahold of your credentials on these sites, because they don't use the secure web protocol HTTP Secure (HTTPS) to encrypt connections to the site.
In the case of Facebook and Twitter, the sites only use HTTPS to protect the logon and password, but the "cookie" that identifies the user is passed back and forth unencrypted after you log in. And when you disconnect from sites like Amazon, Facebook, and Twitter, the session isn't deleted on the server—someone else can come back using the cookies captured by Firesheep or any other tool that recognizes cookies in network traffic.
And there are other tools that do that—they've been around for a while. The problem is that the casual eavesdropper now has the same sort of abilities as someone who has malicious intent.
Here's how to keep Firesheep from grazing on your private data:
Of course, devious parents would use Firesheep to keep tabs on what their kids are up to on Facebook. But I would never suggest using it for that.