Firesheep Plugin to Hack Facebook and Social Networks?

Eric Butler presented today at Toorcon 12 San Diego conference the power of his Firesheep plugin. The new Firefox add-on sniffs out unencrypted HTTP sessions on your network segment and lets you impersonate any of the users found.

When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a “cookie” which is used by your browser for all subsequent requests.

It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking”) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

More from the developer and a sample how to hack a facebook account.