How to Hijack Facebook Using Firesheep

I hijacked someone's Facebook account with Firesheep. It was incredibly easy.

Before you call the authorities on me, the "hijack" was an experiment with a colleague's account while we were waiting for a plane, and she gave me permission. But let me tell you: Firesheep, the Firefox add-on designed to show the security holes in sites that don't use encryption for all their traffic, works as advertised.

All I had to do was download and install the add-on, open the Firesheep sidebar and click "Start Capturing." When her account appeared on the list, I double-clicked on it. Once I made sure that I wasn't logged into the same site myself with my own account, her account appeared in my browser.

Happily, I couldn't change her account information without knowing her password. But I could see all her friends, read her private messages and even issue a status update that went to all her friends.

Also good news: Google and Yahoo mail both appeared secure, even if logged into other portions of those sites.

However, sitting at the Online News Association conference this morning -- a conference of journalists who are very Web-savvy but perhaps less so on latest security issues -- I see a steady stream of accounts show up (see a sample below). Facebook. Twitter. Tumblr. I saw someone's Wordpress blog account (but no, I don't know if I could have clicked through and posted an item).

I was also alarmed to see my own accounts showing up. I hadn't remembered that I'd left my work laptop logged into my Google account, but there was my Gmail address popping up on the Firesheep sidebar when I surfed to Google to do a search.

So here's what I'm doing about Firesheep. Even though I'm not interested in seizing control of strangers' accounts, I'm keeping Firesheep loaded on my system and firing it up whenever I'm using public Wi-Fi: to make sure none of my own accounts pop up. Firesheep has been downloaded hundreds of thousands of times. I can't count on the fact that I'm the only one on the network who knows about it.

If I was in charge of IT and/or IT security at an organization, I'd be giving Firesheep demonstrations to managers to drive the point home that it's just not safe to use public Wi-Fi connections without using proper safeguards.

Sharon Machlis is online managing editor at Computerworld. Her e-mail address is smachlis@computerworld.com. You can follow her on Twitter

Twitter
@sharon000, on Facebook or by subscribing to her RSS feeds:
articles
Machlis RSS
| blogs
Machlis RSS
.

For comprehensive coverage of the Android ecosystem, visit Greenbot.com.

Subscribe to the Security Watch Newsletter

Comments