The Wolf In Firesheep Clothing Exposes Security Holes in Facebook, Twitter

by Gaurav Kheterpal on November 22, 2010

Are you a social-media junkie who likes to be hooked up to Facebook and Twitter all the time – be it at the airport, Starbucks or McDonalds? Free Public Wi-Fi saves you a few bucks but it exposes you to severe security vulnerabilities, a case in point is Firesheep, a FireFox plug-in which is capable of stealing account information from Facebook, Twitter and hundreds of other online accounts of individuals when they log in from unsecured public Wi-Fi.

There have been mixed user reactions on Firesheep ranging from “Didn’t I tell you Free Wi-Fi isn’t safe”, “It’s a bug in Twitter and Facebook security implementation”, “Social Media isn’t secure” and what not. While the social media fraternity continues to be in a denial mode, Firesheep is a well-timed reminder of the gaping security holes in the internet and the pressing need to address the insecurity of public Wi-Fi sooner than later.

Firesheep is the work of Eric Butler, a freelance application developer who made the proof of concept public after presenting at a recent security event. The plug-in is a smart piece of code which exploits known issues on unsecure Wi-Fi networks but it ain’t rocket science by any means. Butler exposed the HTTP limitation of websites using browser cookies to maintain session information. Since the cookies are not encrypted, they are an easy target for snooping. While session cookie exploits are a common phenomenon in the hacking community, Butler opened it up for public access by releasing one-click install for Firefox.

Once you have access to another user’s cookies, it’s not hard to comprehend the amount of damage that can be done. And it’s not just Facebook and Twitter, the list includes some of the biggest names in the technology world including Foursquare, Gowalla, Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, Yelp and several others.

Facebook says that it’s making progress testing SSL access and hopes to provide it as an option in the coming months. Till then, it people to use caution when sending or receiving information over unsecured Wi-Fi networks. Twitter maintains a similar stand and is actively exploring avenues for increasing user safety that would address this issue. Understandably, there are a plethora of third-party tools & techniques which claim to bypass or prevent Firesheep from accessing your login information on unsecure Wi-Fi. These include BlackSheep, Sophos, using a VPN and several others. The Firesheep “controversy” has also been used as an opportunity by several security experts to vent their views on public WiFi hotspots and how to deal with this problem.

I’m not a security expert so I won’t get into the discussion of how you can save your online identity from Firesheep & company. And I’m not a big fan of Wi-Fi anyway, irrespective of whether it makes kids sick or not. My interest is to tackle this issue at a broader level about internet safety, perhaps make Secure Socket Layer (SSL) a mandatory requirement for such websites or explore an alternative avenue for securing free public Wi-Fi networks. Your thoughts are welcome.

Too many sheep spoil the eggs and it’s fair to say that a few firesheeps would be enough to spoil the internet.

Did you like this post? TheTelecomBlog.com publishes daily news, editorial, thoughts, and controversial opinion – you can subscribe by: RSS (click here), or email (click here).

Written by: Gaurav Kheterpal. www.digitcom.ca >. Follow TheTelecomBlog.com > by: RSS>, Twitter >, Identi.ca >, or Friendfeed >

Previous post:

Next post: