New Firefox add-on exposes security problem for popular websites


This article was originally on a blog post platform and may be missing photos, graphics or links. See About archive blog posts.

A Seattle software developer is stirring anxiety with a new add-on program for the popular Web browser Firefox that allows amateur hackers under the right circumstances to gain access to accounts on popular services such as Facebook and Twitter.

The program, called Firesheep, makes it far easier to intercept browser cookies used by those sites to identify users. Hackers can then log into those sites posing as those users.


It only works on a shared wireless network, according to the programmer, Eric Butler, who unveiled the program at a hacker conference in San Diego on Sunday to draw attention to security vulnerabilities.

Those vulnerabilities could always be exploited by experienced hackers and as such are old news. But Butler’s program puts that capability in the hands of amateur hackers, bringing renewed attention to the issue.

‘On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy,’ Butler wrote.

The fix, Butler says, is for websites to fully encrypt all of their communications with consumers, not just some of them.

That is the default setting on Google’s e-mail service, Gmail, a spokesman said. A Facebook spokesman said it’s working on full encryption and hopes to offer that feature to users in the coming months. ‘As always, we advise people to use caution when sending or receiving information over unsecured Wi-Fi networks,’ he said. A Twitter spokesman declined to comment.

Mike Beltzner, Mozilla’s director of Firefox, emphasized that Firesheep is an add-on for Firefox created and distributed by a third-party developer. ‘It demonstrates a security weakness in a number of popular websites, but does not exploit any vulnerability in Firefox or other Web browsers,’ Beltzner said.

He suggested that Firefox users protect themselves by installing another add-on program: ForceTLS add-on.

Techcrunch was one of the first sites to report on Firesheep, saying: ‘One word: wow.’ Now it says ‘lazy hackers’ have downloaded the program more than 104,000 times.

Butler says he has received ‘a ton of great messages from people who are happy this issue is finally receiving widespread attention.’

-- Jessica Guynn