Can FireSheep collect your Facebook, Twitter or Hotmail data?

Firesheep, the new Firefox add-on/Wifi sniffer, has caused a bit of a row.

This 2-click add-on, collects (hijacks/side-jacks) cookies from everyone using an unsecured hotspot and visiting for instance Facebook, Hotmail, Yahoo mail or Twitter.
While a lot of websites use a secure/https connection to login and verify the user account information, information send back to the user, is often done over an unsecure http connection.
That can be collected with Firesheep.

This is nothing new, the vulnerabilities used, are years old.
But what previously took command-line skills can now be done by everyone using Firefox and the add-on.
Important to understand is that the developers have NO intention to make everyone a wannabe hacker.
It's goal is to raise awareness about which popular websites offer secure connections and which not and to put pressure on websites to give their users a truely safe connection.

All this only applies if you use an open/unsecured wireless network; f.i. at the proverbial coffeehouse/bar.
In such cases, users might fallback on the idea of a secure http connection.
A lot of sites offer them and are therefore trusted.
Firesheep can show in 2 clicks that this trust is often unwarranted.
This article from Digital Society on online security explains why tested connections are not necessarily always safe.
A comprehensive test with Firesheep of Facebook, Twitter, GMail, Google, Microsoft, Ebay, Flickr, Yahoo and Amazon, shows that only one of them is really safe. Just one.

This article from the same writer explains more indepth on why Facebook, Google and Twitter fail.
As an example;
If you would login on f.i Facebook via unsecured wireless/hotspot, anyone on that network using Firesheep, could see your user name and foto and login on your account.
In 2 clicks, as the picture (from TechCrunch) below shows;



So, take caution while browsing and having that espresso/cappuccino/double-latte etc.

 

I guess this applies to notebookreview too...

--Anonymous account hijacker at Starbucks

 

George Ou, writer of the Digital Society articles linked in the TS, contacted Microsoft on his findings regarding the insecure Hotmail/Windows Live transfer of user account info.
Microsoft responded and offered good news.

According to Microsoft;
'In addition to protecting customers information at login, in November we will enable Hotmail customers to maintain full-session SSL encryption during their entire Hotmail session, which mitigates cookie-stealing exploits.' ( link)

Facebook will probably offer full SSL also in the future but apparantly as an option only.
In a response to Forbes they've stated that they 'hope to provide it as an option in the coming months'. ( link)

So it seems that the developer of Firesheep is actually accomplishing his goal.
The naming and shaming of some of the biggest players/social networking companies on the internet, is slowly resulting in real secure SSL connections for their customers.

Kudos to Seattle based Firesheep developer Eric Butler.

 

Fight back

Zscaler Cloud Security : SaaS Web Security, Web Security, URL Filtering, Internet Security