Firesheep – Session sidejacking made easy

Becareful when you login to your Facebook, Twitter, Google etc etc using a public open WIFI spot. There’s a new Firefox plugin call Firesheep that allows others to easily gain access to your Facebook, Twitter, Google account. The plugin exploit a widely known WIFI flaw. The hacker can view your private data or even post message like what you can do when you login to those sites using a public open WIFI. Luckily for us, the hacker can’t change your password since he doesn’t know your existing password.
In computer security, this exploit is call session sidejacking
And it’s not just Facebook, Twitter and Google that is vulnerable. Foursquare, Gowalla,, Basecamp,, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, Yelp are also vulnerable. I think there are more. Internet banking sites are safe since they have SSL encryption.
The most worrying part about this is that the “White Hat Hacker” decided to make it super easy for everyone to exploit this flaw. He created a Firefox plugin so that anyone who knows how to install plugin on Firefox knows how to exploit this flaw. I hate those White Hat Hackers. Maybe I should start another post to debate about the ethics of White Hat Hackers.
The only way to fix this issue is for all the website to implement SSL access. And trust me, it will take some time before all the website can implement the changes. In the meantime, your online security is at risk when you login to those sites using an public open WIFI.
But don’t worry. You can protect yourself by using Firefox plugin like Force-TLS and HTTPS Everywhere. The only question is, how many people actually knows about Firesheep and install those plugin to protect themselves?
For your info, our Wireless@SG is a public open WIFI. I haven’t got the time to try out Firesheep on a Wireless@SG. And I don’t want to get into legal trouble. Session sidejacking is illegal in Singapore under the Computer Misuse Act. By concept, Firesheep should work on Wireless@sg. I guess some Singaporeans are already exploiting the flaw using Firesheep at Wireless@SG spot.
Which is why everyone should start switching to Wireless@SGx. Wireless@SGx is using WPA and is safe from Firesheep.
Another method to protect yourself is stop using public open WIFI entirely. 3G dongle FTW!!!
PS: I’ve forgotten when was the last time I login to an public open WIFI spot. I love my 3G.


Leave a Reply

Your email address will not be published. Required fields are marked *