Firesheep Exposes Web Security Concerns

Firesheep, a free plugin whose name is reminiscent of its host application Firefox, has generated considerable debate since its release on Oct. 24, potentially posing a privacy threat to Harvard’s users of social websites.

The approximately 200,000 users worldwide who have downloaded the program can “side-jack” accounts and thus view anyone’s private information on Facebook, Twitter, and other social sites. Hackers can then read private messages and even post status updates without knowing the password to the hacked account.

In response, FAS IT issued a cautionary email last Friday, informing the Harvard community of the privacy threats posed by Firesheep and outlining steps to remedy the issue.

One such step recommended by FAS IT is to access the Harvard network using Virtual Private Networking (VPN) connection, which encrypts all traffic from a computer over the wireless network, ensuring the security of the information.

The only way users on wireless Harvard networks can be vulnerable to individuals using Firesheep is if both users had the same access point—for example, if they lived in the same House, according to Faculty of Arts and Sciences Senior Client Technology Advisor Noah S. Selsby ’94.

A week after Firesheep’s initial release, Eric Butler, the program’s designer, defended the legality and ethics of the plugin in a blog post, writing that the notion of Firesheep as a tool for “harassing or attacking people” is “completely false,” given that some users are hacking the accounts of their consenting friends as a test of a given website’s security.

He added that he does not think “Firesheep turns otherwise innocent people evil,” since people make the distinct choice to use the program maliciously and without permission.

Matthew J. Chartier ’12, a teaching fellow for CS50, echoed similar sentiments. He said that he thinks Firesheep is not offered “maliciously, but to demonstrate user vulnerability to the mainstream,” since other hacking programs that are more difficult to use have existed for at least five years.

CS50 students discussed this vulnerability in “a really valuable, if scary, conversation” in class last week when the teaching staff demonstrated how accessing Facebook over unencrypted Wi-Fi networks left users vulnerable to potential “session-hijacking attacks,” according to course instructor David J. Malan ’99.

In light of this vulnerability, FireShepard, a program designed to “herd” the hacker program, was released by University of Iceland engineering student Gunnar Atli Sigurdsson a few days after Firesheep’s release. This program releases a string of junk characters which, when read by Firesheep, will allegedly cause the plugin to crash over the local wireless network.