In yet another privacy debacle, social media sites like Facebook and Twitter are being hacked via public WiFi with a new Firefox extension called Firesheep, released earlier this week.
Over the last few days, the internet was lit up by reports of a security hole in the Firefox web browser that allowed anyone to hack into Facebook, Twitter, Yelp or Tumblr. A freelance programmer named Eric Butler wrote an extension to Firefox (which anyone can install) that exploits this hole by grabbing free-floating cookies in Wi-Fi networks attached to the above-named sites.
The extension, called Firesheep, takes advantage of a widely known flaw in Wi-Fi setups. When a user logs into his or her Facebook account, the social network’s servers authenticate the user via log-in and password information. Once that person is authenticated, Facebook sends a cookie to that user’s browser to enable access. After the cookie is sent, however, the connection no longer runs on a secure layer, sometimes known as the HTTPS protocol, what is essentially a persistent form of authentication.
Online banking operations, for example, only allow for persistent authentication. Facebook and Twitter, however, do not. In most situations, the lack of a continuous secure connection is not a problem, as the authentication cookie sits on the user’s browser and is not easy to hack. But on public Wi-Fi networks, these cookies are literally floating through the air, a flaw that Firesheep exploits by grabbing them and allowing anyone who has installed the Firesheep extension to access a Facebook session started by someone on any wireless network.
Read the entire article.