FireSheep Makes Identity Theft Easy

Unless you’re a techie, you probably haven’t heard of FireSheep yet.  But with 263,967 and counting downloads, you better hear about it quickly before you feel it.

What is FireSheep?

FireSheep, in a nutshell, is a plugin for Firefox which allows you to take over somebody on your wireless network’s Facebook / Twitter / Flickr / and other  session.

Is it a virus? No.
Is it malicious? Yes, it can be used for nasty shit like taking over your online life.
Is it because of the browser I use? No.
Does it have anything to do with my Wi-Fi network’s setup? No, not directly.

The problem is the website / service you visit and nothing you are doing as such.

The creator of FireSheep, Eric Butler, was sick and tired of the insecure web and he created this plugin as a message to service providers like the ones mentioned above, to plug up the holes in their websites and services and make the web a safer place to be.

Of course, in the meantime everyone is at risk of becoming a victim of this exploit. It’s for the greater good, but you could well lose your account before that great good is achieved.

How does it work?

In order to log on to your account at any given website, you have to log in with your username and password.  But did you know that if you just log on at an http address, like you do at Twitter and Facebook, your username and password is floating through the air for anybody with the right eyes to see?

At Gmail however, you’re in luck.  Their login page is located at an https address – the s in this case standing for Secure – as in Secure Socket Layer.  How this helps you is that your browser scrambles your username and password before it send it to Google. Google unscrambles it, checks it and logs you in into an environment where all communication are encrypted before it flies backwards and forwards on the Internet, making it really hard for anybody to easily read.

With Facebook and Twitter, once they verified your username and password, you get a Cookie (a bit of text to identify you for this surfing session) that is stored on your computer.  FireSheep does its magic by copying this Cookie to somebody else’s browser, allowing them to use Facebook / Twitter as if they were you.

You see where the danger lies?

Is This New?

No it isn’t.  This has been possible for a long, long time – but up until now you had to know a bit about how it works and also how to do it, not everybody’s cup of tea.

With FireSheep however it’s literally as easy as installing a tiny bit of software and seeing a list of people whose accounts you can hijack. With the click of a mouse you can turn into that person and take control of their account.

Should I Panic?

If you’re on a public Wi-Fi network, hell yeah!

If you’re on your password protected Wi-Fi network at home, or you’re on a wired network, then no, you don’t have to panic.

What can I do to prevent attacks from Firesheep?

For now, the best thing to do is to not surf important accounts on a public WiFi network if at any point the address starts with http.

If you surf the web with Firefox, you can install either HTTPS Everywhere, or FORCE-TLS – both of which will help your browser insist on using secure connections where they are available on Facebook, Twitter and the like.  This provides limited protection.

For the rest of us who don’t use Firefox… we’re stuffed.

The ultimate solution is for these website and services to start using HTTPS from their side to make the web a safer place for us all.

Download the Firefox FireSheep Plugin for Windows or Mac and write to your favourite website / service to ask them to make the web a safer place for you.

Update 27 Oct: I was just on an open WiFi network (no password) with 2 computers: One is an iMac with FireSheep installed in Firefox, and with the other I was an Ubuntu 10.4 laptop on which I was browsing Twitter and Facebook using Firefox…. and nothing. Firesheep didn’t detect anything, except for when I was surfing Facebook on the iMac and in the browser in which FireSheep was running (which is kind of pointless, sniffing yourself like that). So currently, it didn’t work for (or against) me.

2 Comments

  • Lorna

    28 October 2010 at 19:37

    Initially, FireSheep freaked me out! But after reading your footnote, well… perhaps sniffing others' data isn't as easy as FS claimed it to be? Anyway, thanks for the heads up on the plugin.

  • 1Earth

    28 October 2010 at 19:52

    I wouldn't rest easy because of my experiment – I might well be doing something wrong.

    I think for the sake of making their point through sensationalism, the creators may well have omitted some vital conditions for this to work.

    However, basic knowledge such as your average malicious computer user might posses, will probably get it to work easily enough.

Post a Comment