Now Anyone At Your Café Can Hijack Your Facebook Account

A new Firefox extension lets anyone sharing an open wireless network at your neighbourhood café or workplace easily access your Facebook, Twitter and myriad other online accounts. It's a terrifying tool designed to highlight a longstanding problem.

Seattle programmer Eric Butler's new Firesheep extension can show you a graphical list of the online accounts of everyone sharing an open wifi network with you. With one click on an icon, you're instantly logged in as them. A screenshot:

"HOLY CRAP" sums up the general Twitter reaction, as compiled by TechCrunch.

The vulnerability exploited by Firesheep has been there for years. Many major websites transmit the keys to your account — your login HTTP "cookies" — completely in the clear, with no encryption whatsoever. That's not a problem when you're on a well secured wireless network; for example if your local cafe uses WPA encyrption on the router, you'd almost certainly be fine. The vulnerable networks are those that are totally open, as well as, possibly, networks that use the weak WEP password system. You'll typically see these types of vulnerable networks in college dormitories, cafes and restaurants, or at other businesses that never bothered to modernize their wireless infrastructure.

Vulnerable sites include Amazon, Dropbox, Facebook, Flickr, Foursquare, Google, nytimes.com, Tumblr, Twitter, Wordpress, Yahoo and Yelp. These sites could fix the problem by routing cookies through the secure HTTPS protocol. Indeed, encouraging them to do so is why Butler created Firesheep:

Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web.

Judging from internet reaction to Firesheep, that's already happening.

Update: This vulnerability exists outside of the browser, so it's not Firefox specific, and switching to Chrome will not help, as some commenters have suggested. It also shouldn't affect cellular data networks, including 3G networks, so we've updated our wording above to make it clear we're talking about wifi.

Although the problem is fundamentally in the wifi networks and the destination websites, there is a Firefox extension that tries to route around the problem by redirecting cookies through encrypted HTTPS connections. Since many web servers don't offer HTTPS, your experience with that extension will be hit or miss. You can also ensure your GMail is locked down by checking the HTTPS toggle in your Gmail settings (it is secure by default). Your best bet, for now, is to avoid using open wifi networks.

[Photo via Shutterstock.com]


Comments

    I've been using Chrome and the "KB SSL Enforcer" extension. Forces websites to use HTTPS and SSL if its available. Also change your default Google search to use SSL for added security. On your mobile, dont bother with using "free" wifi, use your 3G, it'll end up cheaper than losing your account details.

    Whilst I would hardly consider this news for any decent IT geek, it's definitely a good one to get out there in the media because any "point and click" attacks definitely get the public's attention.

      Also, the efforts to add SSL to the sites in question will be irrelevant unless they include mobile device support. Facebook iPhone and Android apps, anyone?

      Totally agree with Edward......

      I've always held the belief [and tried to emphasise this point the most to others] is that if you are connected to an unsecure wireless network, anything you do online is basically fair game. Likewise for a "secure" network which you do not personally own/can verify.

      But going back to your comment Edward, this problem with unsecured wifi covers ANY data you send over the internet, but of course interesting that it gains attention because of the implications with facebook access!

    News. Insecure networks are insecure

    this has being going on for ages, packet sniffing. now it is widely available

    holy crap!!!!1!!1

    I better get one of my mates to remind me what my facebook password is so I can go in and change it!...

Join the discussion!

Trending Stories Right Now