Network News

X My Profile
View More Activity
Anchored by Melissa Bell  |  About  |  Get Updates:  Twitter  |  Facebook  |  RSS Feeds RSS Feed

Firesheep: The cute, new computer hacking program

By Melissa Bell
No word if developer Eric Butler took inspiration from Carly Fiorina's "Demon Sheep" ad while naming his new hacker program Firesheep. (Still from the "Demon Sheep" ad)

No need to be Lisbeth Salander to hack into Twitter and Facebook accounts nowadays. Thanks to Seattle software developer, an easily downloadable program allows even a luddite the ability to access Twitter and Facebook accounts.

The somewhat menacing-sounding Firesheep was released by Seattle-based developer Eric Butler and is a Firefox program that works on Wi-Fi networks to capture users' cookies. (As I side note, I wonder if Butler took inspiration from Carly Fiorina's "Demon Sheep" ad for the name?)

Butler's post on a hacking Web site said that as soon as anyone on the network visits an insecure Web site, their name and photo will be displayed in the Firesheep window.

Techcrunch was one of the first sites to report the new program, saying "One word: wow."

Butler said he had only the best of intentions when creating the demonic sheep hacking program: to expose the severe lack of security on the Web.

"Web sites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win," Butler said.

The program has already been downloaded thousands of times, but the Guardian's Tom Scott warns people, "Using this on a network that you don't completely own and control would be a violation of the Computer Misuse Act."

A TechCrunch reader pointed to a Firefox add-on that can block the Firesheep program.

Even so, wireless networking is an inherently fragile dealing and Butler places the blame on the "insecure Web sites."

"Facebook is constantly rolling out new "privacy" features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely?" Butler wrote. "Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website."

Update: Facebook spokesman Andrew Noyes said in an email that Facebook has been testing a technology that will close out this loophole and they hope to provide it within the next few months. However, "As always, we advise people to use caution when sending or receiving information over unsecured Wi-Fi networks."

Update II: The headline originally read as "The cute, new password stealer," which is misleading. The program allows users to access password-protected sites, essentially sidestepping the need to use a password.

By Melissa Bell  | October 25, 2010; 1:00 PM ET
Categories:  The Daily Catch  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Georgetown students never take 'hard drugs' (wink, wink), Facebook moms annoy people, and more
Next: Trash strikes from Naples to Marseilles (Photos)


Developer Eric Butler has created a new extension for Firefox called Firesheep that allows anyone to download and start listening to any open Wi-Fi network and capture users’ cookies. So what gives you access to Facebook and Twitter accounts with ease.

Posted by: parikhan | October 25, 2010 1:26 PM | Report abuse

scary stuff for sure. data "sniffer" tools are now a reality for everyone.

from those in the know, don't EVER use public wi-fi or connect through a hotel without using a VPN. An excellent VPN service company is Witopia, although there are many other choices too.

Posted by: geeksrus | October 25, 2010 8:49 PM | Report abuse

its as simple as this: facebook is not a secure website. we cant trust facebook to keep our information from third parties. the information we put out there WILL be sold. its time to move on to a safer website such as diaspora or mycube. these sites offer complete privacy and wont treat our consent as their own. you guys should check it out and join them as they open.

Posted by: clarkwalker | October 27, 2010 1:30 AM | Report abuse

Thank you for failing to do even the very basic journalistic legwork required to determine what this is, why it works, and write an informative article. I'm sure the thousands of readers you've scared with this sensationalistic rag are likewise pleased with the way you've injected needless fear into their lives.

FACT: This does not "steal" passwords.

The HTTP Session hijack exploit (Just call it "sidejacking") relies on users being logged into sites that do not use encryption. That is, the users are not protected by the site. This is very common.

Note the important distinction: the user enters the password and logs in. This process is usually secure. The cracker never sees this part of the process and thus never acquires the password. It's all traffic after that is insecure. (Additionally, most sites require entering the current password before allowing the current password to change.)

This isn't to attempt to reduce the problem. It's still pervasive and absolutely inexcusable that this has been allowed to fester for literally YEARS before gaining attention.

Posted by: getjiggly1 | October 27, 2010 7:49 AM | Report abuse

I know that public wifi connections in cafes, hotels, libraries, schools, etc., have never been safe. Wireshark, ethereal, amongst other apps have been out for awhile now and people have been harvesting data for a long time.

If you use a VPN like Private Internet Access ( ) then your connection will be tunneled through a secure transport and you will be secured/encrypted even in public wifi.

Hope this helps.

Posted by: andysl | October 27, 2010 5:58 PM | Report abuse

Post a Comment

We encourage users to analyze, comment on and even challenge's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.

characters remaining

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company