One of a pair of developers who created FireSheep, a Firefox browser plug-in that makes it easy to snoop on others’ social networking sessions, has written a blog post defending his creation, saying it has helped elevate discussion about security on the Web. 

In a post on his blog, Eric Butler, a co-author of FireSheep with Ian Gallagher of Security Innovation, responded to charges that his creation was malicious and criticisms that the plug-in for the Mozilla browser opens up session hijacking to even unskilled Web users.

“Like any tool, Firesheep can be used for many things. In addition to raising awareness, it has already proven very useful for people who want to test their own security as well as the security of their (consenting) friends,” Butler wrote.

FireSheep allows Firefox users who are connected to unsecured wireless networks to canvas and then snoop on social networking sessions, including Facebook, iGoogle and Flickr. The program was unveiled at the ToorCon Security Conference in San Diego in October. 

Rather than questioning the legal right of FireSheep to exist, people should question the motives and behavior of those who use it to illegally access others accounts, he wrote. 

The program was created to raise awareness about the insecurity of social networking Web sites, many of which do not require – or even offer – an encrypted channel for interacting with their Web based applications. Pure HTTP sessions can easily be captured and monitored on unencrypted wireless LANs. Security experts have long warned about man in the middle or session hijacking attacks that take advantage of that gaping security hole, and tools – such as Wireshark – have long enabled technical users to do what FireSheep does. 

The difference, of course, is that FireSheep allows Web surfers to hijack these sessions without requiring any technical expertise. The Mozilla Foundation, which makes the Firefox browser, declined to block the plug-in, noting that it merely points to a weakness in social networking sites, but does not exploit a vulnerability in Firefox or other browsers. However, Microsoft added a signature to detect the tool to its anti malware engine, dubbing FireSheep a hacking tool – a move that Butler likens to censorship for users who would like to try his creation.

In all, Butler, who describes himself as a freelance Web application developer living in Seattle, said that the brouhaha should not be about FireSheep, but about the lax security that large corporations continue to tolerate for applications and services they offer online.

“Big companies, especially Facebook and Twitter cannot claim they are unaware of these issues. They have knowingly placed user privacy on the back burner, and I’d be interested to hear some discussion about the ethics of these decisions, which have left users at risk since long before Firesheep.”  

And the discussion goes on! 

Categories: Data Breaches, Vulnerabilities

Comments (6)

  1. Calandale
    1

    It IS a hacking tool. Like tools, it can be used responsibly, or not.

    Anyone who’s interested should be able to obtain it, regardless of MS’s

    stance on a label.

  2. Anonymous
    2

    lets be honest how many people are gonna use this program for there own use almost everyone is gonna use this to hack

  3. Anonymous
    3

    I am in compliance with the above posts. Not everyone wears a whitehat. I bet out of all honesty and earnesty that if the developer of the plugin was in fact penetrated or even had his website exploited, he wouldn’t be a happy camper. With all do respect to the man that created it, my hats off to you. I don’t know why Mozilla even allowed it to be published when mozilla is marketing a more faster SECURE web browser. Everyone has its flaws, but where is the equality, and unity. If that was created to show vulnerabilities on social networks, what could it do to other connections. Adios!!

  4. Dave
    4

    To Anonymous on 11/03/2010 @ 9:50pm:

    You wrote- “I don’t know why Mozilla even allowed it to be published when mozilla is marketing a more faster SECURE web browser.”

    Ummm…You must not have read the article very thoroughly. The add-in does not compromise the browser. It enables a user, by using Firefox, to sniff out other http connections from other computers to specific social network sites on an unsecured wireless intranet. It does not compromise the browsers on the other machines either. It is a “Man in the Middle” attack which only looks at unencrypted wireless http connections out in the ether. Perhaps you should go over some of the simpler concepts of networking, like the OSI layers, again.

  5. T.Anne
    5

    Yes the way it is used it up to the user… but let’s face it, most people willing to snoop public/unsecured networks most likely aren’t going to be using it for good. If you were someone who would use something to test your own network – odds are it’s not unsecured in the first place.

    I also find it interesting that Firefox hasn’t done anything to block it or taken any action – the name Firesheep is clearly done with the intent to tie it to Firefox (not just imply that it works on Firefox). I also think this tie could be part of why Microsoft has taken the action it has… not only is it blocking a hacking tool, but for those who don’t look at the details and just see the detected items and assume they’re bad – it’s more likely people will be tying the flaw to Firefox directly. I don’t think Microsoft did what they did 100% because of Firesheep, but also because of the fact that the name links it to Firefox – one of their browser competitors.

  6. Andrew MacKie-Mason
    6

    The use of Firesheep on a network that has other people on it is a violation of hacking laws in most (all?) states. Arguably, if someone suffered severe financial loss because of it, they could sue Butler.

Comments are closed.