Scary Firefox Add-On is NOT a Firefox Vulnerability

If you haven’t heard of Firesheep yet, read this blog article. It talks about a Firefox add-on that allows that use it to “sniff” the login credentials from other users logging into vulnerable websites.  Once you see a user, you simply click the user in the list and Voila!  You’re logged in as that user on that website.

Holy crap, right?  I’d say so.

The reason I’m writing this article, though, is that some (you know who you are, @johnobeto) are using this add-on to say that Firefox is insecure. That is completely incorrect. @Johnobeto also likened this to ActiveX vulnerabilities in Internet Explorer, and he said that MS was held liable for them, so what’s good for the goose is good for the gander.

This is not a Firefox vulnerability.  This add-on does not make someone who uses Firefox vulnerable.  It makes others who are on the same network as that user vulnerable to that user.  That is completely different than someone who unknowingly went to a website that exploited vulnerabilities in ActiveX.  The user using IE is the one vulnerable.  (Not to mention that Firesheep is installed on purpose and plainly visible to the user that is running it, as opposed to ActiveX exploits that were invisible.)

You may argue that it’s uncool that the add-on capabilities of Firefox are being used to do something very uncool, but that’s still not the same as ActiveX which was the vulnerability that was exploited by others.

The real news here is how easy it is for someone to hack into your Facebook, Flickr, or Twitter, Amazon, Dropbox, Google, Foursquare, and Windows Live account by simply sniffing your packets.  (This is not a complete list, it’s just the ones I thought might give the reader some pause.)

Some of these are websites you might actually be paying for services.  If that is the case, you should demand that they fix their website so it no longer has this vulnerability.

Meanwhile, read this article (especially the end) that includes a section on how to protect yourself.

----- Signature and Disclaimer -----

Written by W. Curtis Preston (@wcpreston). For those of you unfamiliar with my work, I've specialized in backup & recovery since 1993. I've written the O'Reilly books on backup and have worked with a number of native and commercial tools. I am now Chief Technical Evangelist at Druva, the leading provider of cloud-based data protection and data management tools for endpoints, infrastructure, and cloud applications. These posts reflect my own opinion and are not necessarily the opinion of my employer.