How I Hacked Your Facebook and Twitter Accounts with Firesheep

Photo by Avinash Kunnath

If you enjoy browsing Facebook or Twitter at your favorite Starbucks, things aren’t looking optimistic for you.

Two days ago, freelance web application and software developer Eric Butler released a Firefox extension called Firesheep that lets anyone(yes, even your neighbor’s cat), become an amateur hacker with a simple click of a button. Now, with nearly 300,000 downloads to date and growing, Firesheep is proving to be the catalyst we need for safer web browsing.

Technical Matters First…

How does Firesheep work? Firesheep is no different than other similar tools that have been created before to hijack unsuspecting user’s HTTP session. The only difference this time around is that it makes it so much simpler for anyone to use. All you have to do is download and install the extension, and you’re set.

Whenever you log in to any website like Facebook or Twitter, the server on the other end receives your inputted information and attempts to authenticate you. If your credentials verify properly, you are logged in and your browser is given a “cookie” that stores that information during subsequent requests. Cookies are commonly used for authentication purposes, storing site preferences, and shopping cart contents.

According to Butler, “it’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else.” In this case, many social media sites(most notably Facebook and Twitter) leave you vulnerable to hackers who can login with your credentials and promptly make your life miserable.

OMFG!@# WHAT CAN I DO TO PROTECT MYSELF FROM THE EVILS OF FIRESHEEP????

The best way to protect yourself is to avoid visiting Facebook, Twitter, or other unsecure websites whenever you use a public Wi-Fi network that isn’t password protected or encrypted. No, this doesn’t mean that you should stop using public Wi-Fi. As Butler explains, “this isn’t a direct vulnerability in wifi, it’s the lack of security from the sites you’re using.”

Another simple fix is to opt for HTTPS or SSL whenever possible. By doing so, you’ll be able to browse the web with an encrypted connection that cannot be as easily read by the likes of Firesheep or other tools.

How do you know if the site you are on is using HTTPS? Usually, you can look for the “https://” in your browser’s address bar. On Google Chrome, it’s indicated by a green lock followed by the green text “https.” Like so:

Since most people wouldn’t be able to remember to type “https” every time they visit a site, there are tools that you can use to automate the process for you. On Chrome, there is an extension called KB SSL Enforcer which automatically detects whether a site supports SSL and redirects you to it. On Firefox, you can use Force TLS which does basically the same thing.

Why doesn’t Facebook and Twitter default to the secure HTTPS protocol?

Primarily because the HTTP protocol is faster. It takes slightly more time for your connection to the site to be encrypted entirely, thus slowing down the loading of some pages. Secondly, not enough people know enough about this security vulnerability to lash out and raise hell as they did during Facebook’s privacy debacle. Hopefully, Firesheep will ignite that badly needed public outcry to instill real change for users’ privacy.

Last thoughts…

By now, you’re probably wondering, does Firesheep actually work? Absolutely.

The simplicity of setting it up and getting it to work was chilling to say the least. Yes, I admit. I’m guilty, but the curiosity overtook me and I had to see for myself. Let this be a lesson whenever you feel the urge to tweet using Starbuck’s free Wi-Fi.

  • http://www.adesignersblog.com Helge-Kristoffer Wang

    Nice read. I’ve tried Firesheep and it was.. well, you can call it easy to use.

    • http://loneplacebo.com/about Tony Hue

      I’m looking out for you the next time I’m surfing the Internet on public Wi-Fi. :)

  • joe

    good read, though i doubt anyone would try hacking my facebook anytime soon.

  • http://www.adesignersblog.com Helge-Kristoffer Wang

    Looking forward to it then, Tony. :)

  • Alice

    Hmm. Interesting read. I should give it a try….

  • http://intelligines.com Gines

    I didn’t knew about Firesheep until now. I might try it out of curiosity.

    Thanks for the share, Tony. It’s been a while since I was here.

    Have a good one.

  • http://handpickedtomatoes.com/blog Stephen Kane

    Tony – interesting post. Having just launched a mortgage financing site with front to back SSL, your article made me feel good to know the site’s users won’t have anyone watching over their shoulders as they sip their lattes and look for lower mortgage rates. While I know about HTTPS, I often surf on public wifi’s and don’t always remember to use it. Your post is a timely reminder. Thanks!

  • http://www.shopping-cart-reviews.com/blog kirsty

    Thanks for letting us be aware of firesheep. I didn’t know abything about this until now and I do hope that mozilla won’t allow this or banned this because this is not a good addons. A lot of people must be aware of it and thanks for sharing this.

  • http://precktazman.blogspot.com/ tipsntricks

    Thanks for the heads up! Be better careful next time and each time you log into your internet accounts.

  • http://ekendraonline.com/ Ekendra

    I’ve never been successful on this approach! Tried many times but… maybe everyone else was using https ver. of sites.