Firesheep currently targets a few dozen popular sites, including Amazon, Facebook, Foursquare, Google, The New York Times, Twitter, Windows Live, Wordpress and Yahoo. But it is also customizable to target other websites not listed by the developer. Basically what the extension does is eavesdrop on any open Wi-Fi network and list captured cookies on a panel to the left. Typically, this cookie will not contain your password, but even without your password someone using Firesheep can simply load your session cookie with a click and gain access to your account.
In other words someone with access to your Yahoo Mail cookie could send an email on your behalf, with your Facebook he could access friendís profiles and post messages, and so on. This problem doesn't really register when you're on a secure Wi-Fi network -- when WPA is enabled, for example. But of course there are ways to get around that as well.
Butler says moderately knowledgeable hackers were already exploiting this vulnerability, but by making it dead simple to use he hopes to raise awareness and compel sites to raise the bar on security. He also promised to release a new blog post in the next few hours that will help users protect themselves.