Firefox extension exposes Facebook and Twitter passwords
Firesheep, a new extension for the Firefox browser, lets users eavesdrop on unencrypted traffic over unsecured wifi networks
Published 25/10/2010 | 12:31
A new extension for the Firefox web browser makes it easier than ever before for users to steal account information from users logging on to unencrypted websites via unsecured wifi networks.
Developed by Eric Butler, the Firesheep extension collects the “cookies” that a selection of websites such as Facebook and Twitter use to allow access, and then allows users to “sidejack” their accounts.
The extension works by collecting user information and showing it in a Firefox window; Firesheep then lets each account be taken over simply by clicking on it.
Cookies from Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo and Yelp are all collected automatically, but programmers can add in their own plugins too.
The extension effectively exploits the same loopholes that Google was inadvertently mining with its Google Streetview cars; as such, secure sites and networks are not at risk.
According to Butler, he built the extension because “it's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.”