Eric Butler, a software developer from Seattle has exposed the vulnerability of popular sites like Facebook and Twitter.
He has developed a Firefox extension called Firesheep, which makes use of the vulnerability of unsecured HTTP sites in order to demonstrate session hijacking. Firesheep sniffs out unencrypted HTTP sessions on any open Wi-Fi network and capture users’ cookies. It then uses the cookie to let you pose as that user and browse the site.
Here’s how it works: When you connect to any open Wi-Fi network using the extension, it start’s monitoring the network. Then as soon as anyone on the network visits an insecure website known to Firesheep, their name and photo is displayed:
When you double-click on any of the user, you are logged in as them.
Using this extension anyone can access your private information and you will have no idea about it. This vulnerability is only accessible if you are on an open Wi-Fi network connection, if it’s encrypted you don’t have to worry about anything.
So how to Protect yourself in an open network?
Use an extension like Force-TLS: Force-TLS will change HTTP connections to HTTPS on the sites that you set. This will secure your login information and also protect your other information across the site.
Note: Enabling HTTPS connection on Facebook will disable Facebook chat.
The list of websites which are not secure and hence susceptible to this vulnerability include Foursquare, Gowalla, Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, Yelp.