A Firefox extension allows download credentials from Facebook and Twitter

A developer Eric Butler showed critical vulnerabilities in most social networking and other websites that allows anyone collect private user data including login credentials from Wi-Fi networks. Butler has created Firefox extension, Firesheep, which will let you essentially eavesdrop on any open Wi-Fi network and capture users’ cookies.

As Butler explains in his post, “As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed” in the window. By double clicking on the name anyone can access the user’s credentials.

It works this way: when a user uses an open Wi-Fi connection to access an insecure website this website keeps track of a user via a cookie (more formally referenced as a session) which contains identifying information for that website. Butler’s extension allows anyone to intercept these cookies and masquerade as the user.

Apart from Facebook and Twitter such social networks as Foursquare and Gowalla are also vulnerable. Moreover, the extension is built to identify cookies from Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, Yelp.

According to Butler’s post, he created this seemingly diabolical tool to expose the severe lack of security on the web.

“Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win,” Butler says.