This isn’t a highly technical post by any means, but in a follow up I will explain some basics for less technical users and provide some information on protection.
Recently a Firefox extension called Firesheep was released. Firesheep makes account hijacking easy enough that highly unskilled users can do it. Here’s how it works. A person installs Firesheep on their computer and goes to a coffee shop, airport, or anywhere else there is unsecured public wireless Internet access. Firesheep sniffs the unencrypted network traffic and when it finds cookies for specific websites, such as Facebook, Twitter, and Amazon, it copies the cookies and this allows the Firesheep user to access the legitimate user’s account.
Let’s say you are using free WI-FI at a coffee shop that doesn’t require a password for access. You go to your Facebook account and log in. I am sitting in the same coffee shop running Firesheep and now I have access to your account. I can write messages for you, and see everything you see. If you are using Twitter I can tweet from your account. Most sites that require a password to log in can be attacked using Firesheep.
Shortly after Firesheep was released another person wrote a program called Idiocy. Basically Idiocy does the same thing, except it is limited to twitter and when it captures the Twitter cookie it tweets on the victim’s account “I browsed twitter insecurely on a public network and all I got was this lousy tweet.”
The idea behind Firesheep and Idiocy is to raise awareness of a serious security and privacy problem. Sites like Facebook, Twitter, Yahoo, Windows Live, Amazon, and any others that require a password should be using the https protocol at all times, not just for log in.
There are both legal and ethical considerations when it comes to using these programs. The laws will vary from country to country and probably even in different states in the US. In the US I’m guessing (not guaranteeing) that it is not illegal to use Firesheep to capture the cookies. At the time you double-click on the user’s picture to access their account you have probably broken the law. Currently the legal experts in the US do not agree as to whether simply using Firesheep is illegal. I will not install Idiocy because as it is explained it will automatically engage in unauthorized access of another person’s account. With Firesheep I can see who is surfing insecurely and find other ways of contacting them to educate them without accessing their account.
Before you install and/or use Firesheep, I suggest you research the laws where you are to see if it is likely that even using the program is illegal. If it is not illegal, it still may be illegal to actually use the cookie to access another user’s account. I think it is clearly unethical to do so, even with the best intentions.
Regardless, Firesheep has made using open public WI-FI much riskier than it was before.
Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center - ESET LLC