Firefox extension makes social network ID spoofing trivial
Posted on 25 October 2010.
A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point.

"When it comes to user privacy, SSL is the elephant in the room," said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can "sniff out" the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user.


"As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed," explains Butler. "Double-click on someone, and you're instantly logged in as them."

It is not that this was impossible to do before the advent of Firesheep, but it included the use of some knowledge that average Internet users didn't have. "Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win," says Butler.

Whether he will succeed in pointing out the need of full end-to-end encryption and spur websites into action, it remains to be seen. Among the websites whose cookies Firesheep can identify are Facebook, Flickr, Amazon.com, bit.ly, Google, Twitter, Yahoo, WordPress, and many others.

As I write this, the extension has been downloaded some 8,000 times, and the number is rising by the second. Wouldn't it be amazing that an action such as this could bring about the realization of a more secure Internet?






Spotlight

Intentional backdoors in iOS devices uncovered

Posted on 22 July 2014.  |  A researcher has revealed that Apple has equipped its mobile iOS with several undocumented features that can be used by attackers and law enforcement to access the sensitive data contained on the devices running it.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Jul 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //