Firefox extension makes social network ID spoofing trivial
Posted on 25 October 2010.
A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point.

"When it comes to user privacy, SSL is the elephant in the room," said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can "sniff out" the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user.

"As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed," explains Butler. "Double-click on someone, and you're instantly logged in as them."

It is not that this was impossible to do before the advent of Firesheep, but it included the use of some knowledge that average Internet users didn't have. "Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win," says Butler.

Whether he will succeed in pointing out the need of full end-to-end encryption and spur websites into action, it remains to be seen. Among the websites whose cookies Firesheep can identify are Facebook, Flickr,,, Google, Twitter, Yahoo, WordPress, and many others.

As I write this, the extension has been downloaded some 8,000 times, and the number is rising by the second. Wouldn't it be amazing that an action such as this could bring about the realization of a more secure Internet?


Pen-testing drone searches for unsecured devices

You're sitting in an office, and you send a print job to the main office printer. You see or hear a drone flying outside your window. Next thing you know, the printer buzzes to life and, after spitting out your print job, it continues to work and presents you with more filled pages than you expected.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Oct 9th