You might want to think twice before logging into your favorite websites when using an open Wi-Fi network. A new Firefox extension shows just how easy it is to snatch browser cookies sent over insecure connection for sites such as Facebook and Twitter, allowing malicious users to log into the same website via a process called HTTP session hijacking -- also known as sidejacking. The extension, dubbed Firesheep
, was developed by freelance Seattle-based developer Eric Butler in an effort to push more websites into using full end-to-end encryption for logins.
Firesheep currently targets a few dozen popular sites, including Amazon, Facebook, Foursquare, Google, The New York Times, Twitter, Windows Live, Wordpress and Yahoo. But it is also customizable to target other websites not listed by the developer. Basically what the extension does is eavesdrop on any open Wi-Fi network and list captured cookies on a panel to the left. Typically, this cookie will not contain your password, but even without your password someone using Firesheep can simply load your session cookie with a click and gain access to your account.
In other words someone with access to your Yahoo Mail cookie could send an email on your behalf, with your Facebook he could access friendís profiles and post messages, and so on. This problem doesn't really register when you're on a secure Wi-Fi network -- when WPA is enabled, for example. But of course there are ways to get around that as well.
Butler says moderately knowledgeable hackers were already exploiting this vulnerability, but by making it dead simple to use he hopes to raise awareness and compel sites to raise the bar on security. He also promised to release a new blog post in the next few hours that will help users protect themselves.