A new Firefox extension lets anyone sharing an open wireless network at your neighborhood café or workplace easily access your Facebook, Twitter and myriad other online accounts. It's a terrifying tool designed to highlight a longstanding problem.
Seattle programmer Eric Butler's new Firesheep extension can show you a graphical list of the online accounts of everyone sharing an open wifi network with you. With one click on an icon, you're instantly logged in as them. A screenshot:
"HOLY CRAP" sums up the general Twitter reaction, as compiled by TechCrunch.
The vulnerability exploited by Firesheep has been there for years. Many major websites transmit the keys to your account — your login HTTP "cookies" — completely in the clear, with no encryption whatsoever. That's not a problem when you're on a well secured wireless network; for example if your local cafe uses WPA encyrption on the router, you'd almost certainly be fine. The vulnerable networks are those that are totally open, as well as, possibly, networks that use the weak WEP password system. You'll typically see these types of vulnerable networks in college dormitories, cafes and restaurants, or at other businesses that never bothered to modernize their wireless infrastructure.
Vulnerable sites include Amazon, Dropbox, Facebook, Flickr, Foursquare, Google, nytimes.com, Tumblr, Twitter, Wordpress, Yahoo and Yelp. These sites could fix the problem by routing cookies through the secure HTTPS protocol. Indeed, encouraging them to do so is why Butler created Firesheep:
Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web.
Judging from internet reaction to Firesheep, that's already happening.
Update: This vulnerability exists outside of the browser, so it's not Firefox specific, and switching to Chrome will not help, as some commenters have suggested. It also shouldn't affect cellular data networks, including 3G networks, so we've updated our wording above to make it clear we're talking about wifi.
Although the problem is fundamentally in the wifi networks and the destination websites, there is a Firefox extension that tries to route around the problem by redirecting cookies through encrypted HTTPS connections. Since many web servers don't offer HTTPS, your experience with that extension will be hit or miss. You can also ensure your GMail is locked down by checking the HTTPS toggle in your Gmail settings (it is secure by default). Your best bet, for now, is to avoid using open wifi networks.
[Photo via Shutterstock.com]