Firesheep Hacker Pokes Privacy Holes in Facebook, Twitter – Advertising Age – Digital
NEW YORK (AdAge.com) — Over the last few days, the internet was lit up by reports of a security hole in the Firefox web browser that allowed anyone to hack into Facebook, Twitter, Yelp or Tumblr. A freelance programmer named Eric Butler wrote an extension to Firefox (which anyone can install) that exploits this hole by grabbing free-floating cookies in Wi-Fi networks attached to the above-named sites.
The Firesheep extension grabs free-floating cookies in Wi-Fi networks to gain access to other users’ Facebook accounts.
The extension, called Firesheep, takes advantage of a widely known flaw in Wi-Fi setups. When a user logs into his or her Facebook account, the social network’s servers authenticate the user via log-in and password information. Once that person is authenticated, Facebook sends a cookie to that user’s browser to enable access. After the cookie is sent, however, the connection no longer runs on a secure layer, sometimes known as the HTTPS protocol, what is essentially a persistent form of authentication.
Online banking operations, for example, only allow for persistent authentication. Facebook and Twitter, however, do not. In most situations, the lack of a continuous secure connection is not a problem, as the authentication cookie sits on the user’s browser and is not easy to hack. But on public Wi-Fi networks, these cookies are literally floating through the air, a flaw that Firesheep exploits by grabbing them and allowing anyone who has installed the Firesheep extension to access a Facebook session started by someone on any wireless network.
Mr. Butler, who did not return calls seeking comment, wrote on his blog that Firesheep has been downloaded 129,000 times in the last 48 hours. He has even reported on updates to his extension that allows it to work even more efficiently.
While such a security hole — which includes Firefox, Wi-Fi networks and sites like Facebook — is real, they are commonplace and inaccessible to most users. Mr. Butler engaged in what is known as a “proof of concept” hack, a euphemism for what is really a malicious attack on an internet system.
Though hackers offer such proof-of-concept hacks daily, most go unnoticed or are purposefully ignored, as such security flaws only effectively exist as a result of the hacker’s work. The Wall Street Journal wrote about the hack on its Digits blog and many news outlets, including the New York Times, “alerted” its readers via its Twitter stream. The irony in such an announcement, however, is that the more public these proof-of-concept hacks become, the more insecure people’s information.
Mr. Butler does offer a few suggestions for how to protect yourself from his program on his blog. One relatively easy method is to install a different Firefox extension called HTTPS-Everywhere, made available from the Electronic Frontier Foundation.
Still, he offered that there’s no such thing as true security: “[T]here’s no silver bullet (aside from stopping use of the services which you don’t want hijacked.),” Mr. Butler wrote.