Like Lambs to the Slaughter? Firesheep Lets Anyone be a Hacker

A few days ago I wrote about Starbucks’ new Digital network (WiFi) push giving users not only internet access, but also “a wide array of great, premium online content.” Included in that article were 6 steps to Safer WiFi use.

Now, with the launch of a new application called Firesheep, there are a couple more safety concerns you need to protect against.

What is Firesheep?

Firesheep is a new, free add-on application to Firefox developed by Eric Butler that makes it a easy for anyone to snoop on a WiFi network and steal other people’s online accounts – without even needing to steal their passwords. You just download the application, then go to any location with an open WiFi network and click the ‘Start Capture’ button in the app.

Instantly the app begins capturing login information of people in your vicinity, and it shows you the user names (and photos) of those logged into one of the services that Firesheep collects information from. Then, to log into a site as one of those users, just double-click on their name and you’re logged in using their account.

How does it capture your information?

“When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a “cookie” which is used by your browser for all subsequent [login] requests.

It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable.

Ian Paul at PCWorld has a good explanation of how Firesheep works.

Firesheep is basically a packet sniffer that can analyze all the unencrypted Web traffic on an open Wi-Fi connection between a Wi-Fi router and the personal computers on the same network. The extension waits for someone to log in to any of the 26 sites listed in Firesheep’s database -[including big sites such as Facebook, Twitter, Flickr,, Google and Amazon].

When you log in to Amazon, for example, your browser’s Amazon-specific cookie communicates with the site and contains personally identifying information such as your user name and an Amazon session number ID.

As your browser swaps cookie information back and forth with the Website a third party can hijack that communication and capture info including your user name and session ID. Typically, the cookie will not contain your password. But even without your password, the fact that Firesheep has snagged your session cookie means that a hacker can, at least in theory, access your account and gain virtually unrestricted access. If the hacker got your Yahoo Mail cookie they could send an e-mail; if it was Facebook they may be able to post a message; and so on. Any operations that require your password, however – such as accessing your credit card information on Amazon – should not be possible using Firesheep.

Butler, defended releasing his add-on in a blog post on Sunday, saying that warnings about site insecurities by others have been ignored. “[Sites have] been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure Web,” Butler wrote in “My hope is that Firesheep will help the users win.”

Possibly, but in the short term, with an enormous 320,000 downloads since Sunday (an average of about 79,000 downloads per day), it’s a stretch to believe Butler’s ‘awareness campaign’ it isn’t going to do far more harm than good.

WiFi Risks aren’t new

For years, security experts have cautioned users that connecting to a non-encrypted WiFi network exposes you to malicious attacks, data theft and account hijacking. However, few users have paid much attention, casually  logging on to WiFi hotspots to check bank information, log onto social networks, shop online, read their email or browse the web.

That casual attitude has been based on two beliefs: 1)  the belief that most people are honest and just doing their own thing not trying to wreak havoc on others (which is true) and, 2) there really aren’t that many people who have the skills needed to steal information or harm devices if they wanted to.

Now that stealing your credentials has become so easy your grandmother could do it, you might want to reconsider that laid back attitude – particularly in light of the enormous numbers of people who have already downloaded the app.

The security gap with most cookies is a well known problem, but even very popular websites still fail to protect users by encrypting their cookies.  Unfortunately, until web service operators take your security more seriously and fully encrypt their services, you have few safe choices. You can choose to never use public Wi-Fi, which would be rather inconvenient for many users, or you can pay your way out of the risk by purchasing a cell phone provider’s 3G or 4G data plan.

Click here to learn more about other solutions security experts offer for defending against Firesheep snooping.

Mozilla can cripple add-ons to their browser, but Mozilla’s director of Firefox, Mike Beltzner, has said that Mozilla will not activate the kill-switch because Firesheep doesn’t exploit a vulnerability in their browser.

He instead suggested that Firefox users could protect themselves against Firesheep sniffing and hijacking by installing Force-TLS which would require their browser to use an encrypted HSTS (HTTP Strict Transport Security) connection when it accesses certain sites.

A poll found that two-thirds of their readers who participated in the poll support Mozilla’s decision – I doubt the general public agrees.



Comments are closed.

%d bloggers like this: