The hacker tool Firesheep spreads with tremendous speed on the internet after beeing in the headlines lately.

Just a few days ago, an American security expert, Eric Butler, released a tool called Firesheep. This Firefox add-on lets anyone without any particular computer skills hijack login information for various social networks in open wireless network with just two clicks.

Firesheep exploit cookies from various websites, which are actually beeing received in clear text even if the site uses a secure login, like SLL. For protection against Firesheep it is required either that the website visited is using SSL on all pages, not just on the login page, or that the user is connecting via a VPN tunnel.

It should be emphasized that the vulnerability only applies to open wireless Wi-Fi networks, of the type that can be found in airports, trains, cafes, libraries and schools.

The reports so far has been very focused on Facebook and Twitter, but the list of fully or partially compromised sites includes a wide range of online services. According to TechCrunch, these are some of the sites that are compromised:

Apparently many social network sites are not secured, beyond the big two, Foursquare, Gowalla are also vulnerable. Moreover, to give you a sense of Firesheep’s scope, the extension is built to identify cookies from, Basecamp,, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, Yelp. And that’s just the default setting— anyone can write their own plugins, according to the post.

It has been claimed that add-ons like Force TLS for Firefox and KB SSL Enforcer for Chrome, extentions that forces sites to send information encrypted, will be able to protect against Firesheep. Other experts have warned that they may provide a false sense of security, arguing that the cookies is already sent when the user is logging in, before encryption starts.

So far, the general word of advice is to always use a VPN in wireless networks outside the office, and if you are on an open network you should completely avoid sites that require authentication.

(via IDG News)