The Drum Awards for Marketing - Extended Deadline

-d -h -min -sec

Twitter

Firesheep exposes Facebook and Twitter users to amateur hackers

Author

By The Drum Team, Editorial

October 26, 2010 | 3 min read

A new extension for the Firefox web browser allows users to hijack the accounts of people logging into sites such as Facebook and Twitter on unsecured wireless networks.

The Firesheep tool has been created by Seattle developer Eric Butler to expose the lax privacy measures of some of the most popular sites on the web.

As soon as anyone on an unsecured network logs into an insecure website, their name and photo will be displayed in the Firesheep window ready to be exploited.

The software works by latching onto the 'cookies' that contain information about a user's web session. As Butler explains: "On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy."

Butler says the risk could be avoided if all sites became fully-encrypted, like the secure ones used for online banking.

He writes on his blog: "Facebook is constantly rolling out new "privacy" features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely?

"Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website."

Tom Martin, a developer at the 383 Project in Birmingham, explained how Firesheep works and what exactly it does:

"The hack works by intercepting traffic between your computer and sites like Facebook and Twitter. The app steals cookies and allows you to impersonate another user on the network. Even if your home or office network is secure anywhere you use a public network you could be in trouble - even iPhones connected to The Cloud in public areas such as cafes and shopping centers could be vulnerable to this type of attack.

"Facebook already takes steps to prevent sign in fraud if it detects a sign in from another location or country, but as the victim and attacker are likely to be psychically close to the attacker this type of defence will be ineffective. Facebook and Twitter can secure there sign in process by using SSL, this is the same technology used by banks and online retailers to protect your connection."

Firesheep's arrival coincides with Google being investigated for inadvertently collecting reams of data from unsecured wireless networks.

Twitter

More from Twitter

View all

Trending

Industry insights

View all
Add your own content +