- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
PC World - Want to hack someone else's Amazon, Facebook, Twitter or Windows Live account in just one click? A Firefox extension called Firesheep claims you can by hijacking a person's current user session over an open Wi-Fi connection.
I tested the extension out and to my horror it works as advertized - almost that is.
Firesheep was created by Seattle-based software developer Eric Butler who said he created the extension to highlight the security risks associated with session hijacking, also known as sidejacking.
Firesheep targets 26 online services, and includes many popular online services such as Amazon, Facebook, Foursquare, Google, The New York Times, Twitter, Windows Live, Wordpress and Yahoo. The extension is also customizable allowing a hacker to target other Websites not listed by Firesheep.
While Firesheep sounds scary (and once again highlights the security concerns of using open Wi-Fi) the new Firefox extension is not as frightening as it sounds.
How Firesheep works
Firesheep is basically a packet sniffer that can analyze all the unencrypted Web traffic on an open Wi-Fi connection between a Wi-Fi router and the personal computers on the same network. The extension waits for someone to log in to any of the 26 sites listed in Firesheep's database. When you log in to Amazon, for example, your browser's Amazon-specific cookie communicates with the site and contains personally identifying information such as your user name and an Amazon session number ID.
As your browser swaps cookie information back and forth with the Website a third party can hijack that communication and capture info including your user name and session ID. Typically, the cookie will not contain your password. But even without your password, the fact that Firesheep has snagged your session cookie means that a hacker can, at least in theory, access your account and gain virtually unrestricted access. If the hacker got your Yahoo Mail cookie they could send an e-mail, if it was Facebook they may be able to post a message and so on. Any operations that require your password, however, such as accessing your credit card information on Amazon should not be possible using Firesheep.
Firesheep put to the test
Since I wasn't close to a public Wi-Fi hotspot today, I tested Firesheep on my own home network using Firefox 3.6 for Mac OS X. The problem is I use WPA2 encryption at home, a Wi-Fi security standard that encrypts all user traffic going between your PC and the router. So the only way I could test Firesheep was on my own machine, which I did by browsing on both Firefox and Chrome.
To get started I installed Firesheep on Firefox, and then opened it up by clicking on View>Sidebars>Firesheep. I then saw a blank sidebar with a button at the top that said "Start Capturing." Once I clicked the button to start snooping, the extension asked for my computer's master password so that the extension could access and make changes to my machine. Needless to say, this is not something I would recommend you try on your own computer. After the sidebar was working it started grabbing user IDs as promised for sites I logged in to including Amazon, Facebook, Google and The New York Times. Firesheep was able to grab my user name and profile photo (when available) and then display each account in the sidebar.
Originally published on www.pcworld.com. Click here to read the original story.