Firesheep app lets you hack Facebook, Twitter accounts

The next time you go wireless in a mall or coffeeshop, watch your back. Eric Butler, a US-based freelance web application and software developer, has just released an application on his blog called "Firesheep" that exposes the vulnerabilities of open wireless networks. Firesheep allows a user to view and even edit the account of anyone using Facebook or Twitter while logged into an unsecure WiFi network. According to Butler, this intrusion is possible because most websites —including Facebook and Twitter— only encrypt the user's initial login. "When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a 'cookie' which is used by your browser for all subsequent requests. It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable," he explained. "Facebook is constantly rolling out new 'privacy' features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website," Butler added. In Metro Manila, most public malls —including SM, Ayala, and Robinsons malls— now offer open and free WiFi access. According to Wikipedia, SM Megamall alone attracts foot traffic of some 800,000 people per day. Butler said that he was not maliciously motivated to create the program. "Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win," he explained. - RSJ, GMANews.TV