A new Firefox add-on called "Firesheep," developed by Seattle-based freelance Web application developer Eric Butler, enables almost anyone to scan a Wi-Fi network and hijack others' access to popular services like Facebook, Twitter, and others. Butler unveiled Firesheep at the ToorCon security conference in San Diego, which occurred from October 22-24.
Butler explained that he developed Firesheep to highlight the risks associated with accessing unencrypted websites via public Wi-Fi spots. While many sites secure user log-ins with HTTPS or SSL, they often do not encrypt the rest of the traffic. "This leaves the cookie, and the user, vulnerable," Butler stated in a blog post. "On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy."
Once a hacker obtains a user's cookie, they can perform any action that the user can on the website. Firesheep can hijack sessions on several major sites, including Facebook, Twitter, Flickr, bit.ly, Google, and Amazon.
Richard Wang, the U.S. manager of SophosLabs, a part of the security company Sophos based in Abingdon, England, commented, "None of this is new, the flaw certainly isn't. But Firesheep makes it so easy to discover [unencrypted traffic and cookies] that pretty much anyone can use it to listen to what others are doing at public hot spots."
Firesheep operates by adding a sidebar to Mozilla's Firefox browser that indicates when someone on an open network visits an insecure site. "Double-click on someone [in the sidebar] and you're instantly logged on as them," Butler briefly described.
Since its release, Firesheep has been downloaded nearly 50,000 times, demonstrating its considerable appeal.
Butler hopes that Firesheep will prompt websites to take security more seriously. "Websites have a responsibility to protect the people who depend on their services," he said. "They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure Web."
Wang echoed this sentiment, expressing hope that Firesheep would lead to wider use of HTTPS. He also encouraged public networks to enhance security, despite acknowledging the logistical challenges, such as distributing passwords. "It's the old 'security-vs.-convenience' argument," he noted.
For personal protection, Wang advised against accessing insecure sites on public networks and suggested that more tech-savvy individuals could use a secure proxy server hosted on their work machine.
Currently compatible with the Windows and Mac OS X versions of Firefox, Firesheep is available for free download on the GitHub site. Butler is also developing a version for Linux.
