George Taylor McKnight

How to stop me (and 700,000 others) from hacking your Facebook and Twitter account

Firesheep is a free Firefox plugin that detects browser sessions when you are using an open wifi network. It lets you login, with a single click, to sites like Facebook and Twitter as other unsecured users also using that wifi connection. It has been downloaded over 700,000 times in the past two weeks.

I ran the program for 15 minutes at a coffee shop and the screenshot to the right are all the accounts I could log into, read messages, and even post tweets. I will provide solutions below on how to fix the most obvious vulnerabilities for Facebook, Twitter, and the other default sites.

If you are using WIFI that you do not have to login to, you are at complete risk of other people accessing your Facebook, Twitter and other accounts. Once Firesheep is installed and running, it will immediately find anybody on the same wifi connection as you that is using the following sites by default:
facebook.com, google.com, twitter.com, amazon.com, basecamphq.com, dropbox.com, yahoo.com, cisco.com, cnet.com, enom.com, evernote.com, foursquare.com, github.com, gowalla.com, harvestapp.com, live.com, news.ycombinator.com, nytimes.com, pivotaltracker.com, slicehost.com, tumblr.com, yahoo.com. yelp.com and every single wordpress installation.

If you are using Google Chrome:
Fidelio will automatically make sure you use the secure versions of facebook and twitter. You can also add other sites that offer https versions.
1) Install by clicking http://nikcub.appspot.com/projects/fidelio.crx
2) In OSX toolbar go to Window -> Extensions
3) Find Fidelio in the list and click Options
4) Add these: google.com, amazon.com, basecamphq.com

If you are using Firefox:
HTTPS Everywhere is provided by the EFF and will by default take care of:
Facebook, Twitter, Amazon, Wordpress blogs, Paypal, Google, Wikipedia, NY Times, Washington Post, EFF, Tor and Ixquick.
1) Install by clicking https://www.eff.org/files/https-everywhere-latest.xpi

If you are using Internet Explorer
1) Use Google Chrome (or Firefox I guess).

To fully protect yourself on an open wifi network you have three main options:
1) Suggest your coffeeshop turns on WPA2 key encryption and hand out a password.
2) Setup an SSH Proxy, but you will need a webserver (or home computer) to do this.
3) Every site you login to needs to use HTTPS fully. You can tell if you type in https://examplesite.com and a lock icon appears in your browser. If a site you use doesn’t, email them and let them know they should. Sites that are part of Firesheep by default and can’t be protected by the above Chrome/Firefox methods because they do not offer SSL: foursquare.com, gowalla.com, news.ycombinator.com, nytimes.com, tumblr.com, yahoo.com. yelp.com

Further Info:
* Original presentation about Firesheep and security concerns:
* Blacksheep is a Firefox plugin to that alerts you when somebody on the network is running Firesheep.

1. quarterlifeincharlotte liked this
2. shaunline liked this
3. romeojulietsierra liked this
4. erina reblogged this from gtmcknight
5. gtmcknight posted this