31° Good Evening
31° Good Evening

Firefox add-on opens access to users' private info

(Aug. 31, 2010)

(Aug. 31, 2010) Credit: Newsday / Audrey C. Tiernan

Firesheep, a new extension for the Firefox Web browser, gives users full - but illegal - access to the accounts of other Internet surfers on many open Wi-Fi networks, including on Facebook, Twitter, flickr and e-mail.

The software developer, Eric Butler of Seattle, said it is meant to highlight how websites compromise users' private information.

"This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users," Butler said via his website.

A computer user with Firesheep can steal website cookies from other Internet surfers using the same unprotected public Wi-Fi network. Those cookies store a user's logon and password.

As people access their accounts, a Firesheep user will be sent links - with the logon and passwords already enabled - to the various sites that other people on the network are visiting. This happens without users being aware that their privacy has been compromised.

Some large Wi-Fi networks use encryption, and most banks use the more-secure https protocol for their online banking services, both of which would stop Firesheep.

According to the Computer Fraud and Abuse Act of 1986, it is a federal crime to access a computer without authorization.

As of Tuesday, the extension had been downloaded 104,000 times, according to the blog TechCrunch, since it was made available Monday.

Butler says Firesheep works on, Facebook, Twitter, Dropbox, Google sites, Yahoo and Foursquare, and most e-mail clients, among others. And although the free extension is only for Mozilla's Firefox, Firesheep picks up private cookies from other browsers as well, such as Safari, Internet Explorer and Chrome.

A spokesman for Facebook said the social network plans to add a security feature in the coming months that would stop this kind of security breach.

Firefox is an open source browser maintained by Mozilla Corp. Firefox director Mike Beltzner said the company is not responsible for security flaws in other websites. "Firesheep is an add-on for Firefox created and distributed by a third-party developer. It demonstrates a security weakness in a number of popular websites, but does not exploit any vulnerability in Firefox or other Web browsers," Beltzner said.

He added Mozilla recommends that websites start supporting the more secure https protocol, which will be supported by default in Firefox 4, now in development.

How to protect yourself

At home, always have your wireless network password protected. Also, make sure the network name you choose doesn't easily identify your household, in other words the family name, address, etc.

While it's probably never a good idea to send and receive private information through a public network, there are some steps to help protect your privacy.

Beltzner says Firefox users can use this add-on: Force TLS, to protect themselves. This forces the HTTP protocol into the more secure HTTPS line.

Google Chrome users have a preference that can be selected that allows only HTTPS connections.

For Safari and IE users there aren't any immediate and easy solutions. Life Hacker does offer a step-by-step guide on how to encrypt all your web data. It might seem somewhat daunting, but it's definitely worth a couple of reads.

Mozilla has yet to release any official word regarding their stance on Firesheep. Check back again for updates.


We're revamping our Comments section. Learn more and share your input.

More news