Firesheep Sniffs Out User Credentials On Wi-Fi Hotspots

Firefox: Firesheep sniffs out and steals cookies — and the account and identity of the owner in the process — of popular websites from the browsing sessions of other users on the Wi-Fi hotspot you're attached to.

Firesheep is a proof-of-concept Firefox extension created by Eric Butler to show how leaky the security many popular websites (like Facebook, Flickr, Amazon.com, Dropbox, Evernote and more) employ. The problem, as Firesheep shockingly demonstrates, is that many websites only encrypt your login. Once you are logged in, they use an unsecured connect with a simple cookie check. Anyone from your IP address (that of the Wi-Fi hotspot) with that cookie can be you. When using Firesheep at a public hotspot, any session it can intercept is displayed in the Firesheep pane with the user's name and photograph (when available). Simply click on their name to intercept the session and start browsing the website as though you are them.

What can you do to protect yourself against such a painfully easy attack against your privacy and security? You can set up an SSH SOCKS proxy to encrypt your traffic, effectively sending your site sessions and accompanying cookies through a sniff-proof tunnel.

Firesheep is free, works wherever Firefox does and requires a wireless card capable of operating in promiscuous mode.

Firesheep [Code Butler via TechCrunch]


Comments

    Would using Https help at all?

      Glen, yes, only if the option is available for the entire session to be encrypted. There is a Firefox plugin that uses SSL connections when available on big websites.

    Gah! And I felt so 1337 when I was doing it proof-of-concept to someone with Wireshark and Cain and Abel T_T

Join the discussion!