This Firefox extension can steal login and passwords for Facebook, Twitter, Tubmlr, WordPress, Yahoo, Windows Live and many others!
I read about ‘Firesheep’ and surprised how easy it is to steal somebody’s Facebook login and password via open Wi-Fi. Any novice (hacker wannabe) can easily use the add-on and in a nice Firefox’s user interface (unlike other hacker’s tool) too.
Firesheep is an add-on (extension) for Firefox that sniffs users that logged-in into their Facebook account in open unsecure open Wi-Fi. It gets your username and password by capturing users’ cookies. The term is ‘sidejacking’ or maybe ‘sessionjacking’ but then doesn’t matter what’s term, it really can steal your passwords.
It can eavesdrops not just your Facebook login and password but also, (it’s a long list): Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, Tumblr, Twitter, WordPress, Yahoo, YelpNot
Based on Techrunch reports and other testing, the plugin does really works. Firesheep is a real threat, isn’t? It’s an extension, just an add-on for a browser but able to do such thing.
I am not here to introduce the tool but to create the awareness. Those who are into sniffing and hacking already knew this long before many of us know, anyway. Maybe they already got your Facebook or Twitter passwords!
I am not in the position to test it but if you have your Wi-Fi networking set-up you can test how secure your wi fi against Firesheep. Of course you also can test other open public wi fi. If unsecure, tell the admin or don’t use the wif-fi. Who knows who else in your free Wi-Fi neighbourhood is using Firesheep too.
You can download Firesheep here: https://github.com/codebutler/firesheep/downloads
Firesheep comes with official site, blog and discussion: http://codebutler.github.com/firesheep/
After install, Firesheep should appear on the left inside Firefox’s window:
How to protect against Firesheep?
Well, the good news is, there are other Firefox add on that can counter Firesheep. Based on the fact that Firesheep exploits insecure http access, this add-on force Firefox to use https (encrypted data) when available.
Here are the Firefox extensions you can install to to protect against Firesheep:
Note that those plugins to counter Firesheep can help to protect to a certain extent only. There are other password stealers too. If you really love your Facebook account, the best way is DON’T USE PUBLIC OPEN WI FI.
The most important thing is to be wary when using open WiFi. Just because you just found FREE internet access in cafe nearby you, doesn’t mean you just can simply log in (if you are concern about security) without checking.
Arkwardly, to check how vulnerable the WiFi is, you need to install the sniffer tool (Firesheep) too, even if you don’t intend to steal others’ login. “To catch a thief you need to think like a thief” applies here.
Also you can use Virtual Private Network (with encrypted data) as a proxy. You can get some info on Virtual Private Network here: Free VPN. To reduce the windows of opportunity make sure to log out of Facebook after finish your facebooking.
Norton’s Community: Could Firesheep Lead to More Cyberbullying
Ways to protect:
Five-ways-to-shear-firesheep (Update: website is not available)
Add-on to protect against firesheep: firesheep-protection/
If you wonder what Facebook said about this Firesheep:
Facebook spokesman Andrew Noyes said, “Facebook has been testing a technology that will close out this loophole and they hope to provide it within the next few months. However, as always, we advise people to use caution when sending or receiving information over unsecured Wi-Fi networks.”
Websites are actually responsible to provide secured login (forced htts). Suggest you ask your favourite login sites about this issue.
Websites affected in the list are among the most popular, the real list actually could includes almost all websites that use insecured http login. (BTW online banking websites use secured htts – should be fine unless you have Keylogger in your PC)
Not just Firesheep, other tools could exploit insecure http access too. It’s a matter of time before an improvised version of Firesheep (Firegoat maybe) come out.
Do spread the awareness, many people still access internet on every chance when there is free Wi-Fi internet without realizing how easy their Facebook or Twitter and what else to be gone within seconds.