How To Hack Into Facebook (using session hijacking)
Back in October, a little innocent Firefox plugin was released called Firesheep. This plugin was released to make it public that stealing your account on Facebook can be as easy as stealing candy from a baby.
Websites like Facebook, Twitter and many others send user information, usernames and even passwords over an insecure HTTP connection utilizing cookies on users’ computers. If anyone was able to get their hands on that cookie, they would be able to “impersonate” you on that website. That is exactly what Firesheep allows you to do.
Whenever anyone logs on to Facebook, or any other recognized website, using the same hotspot, the plugin will be able to capture that user’s cookie and allow you – with a click of a button – to masquerade as him/her on that website. It is understandable the mess that this plugin create and I can’t even imagine the number of pranks that have been played on college campuses using Firesheep, but it was the best way to illustrate the vulnerability to the mainstream. To get Firesheep you can download it here.
How To Protect Yourself
While it took Facebook close to four months to secure their website, they have finally done it. But the catch is that it’s an opt-in service, and you will have to probably jump through the same hoops, that you should be used to by now, to make your Facebook account more secure.
To enable the service, you will have to go to your Account Settings–> Account Security –> and check the “Browse Facebook on a secure connection (https) whenever possible“ to resolve this vulnerability. This feature is not yet rolled out to all Facebook accounts so if you don’t see it in your account security, you should keep on checking for it. In case you are thinking about ignoring this issue as just another security scare from the geeks, I implore you to install Firesheep, sit in a cafe, and see how many accounts you’ll be able to hijack.
Interestingly enough this feature was first rolled out to Facebook users in Tunisia because the government was hijacking their accounts, so that solidarity shows that someone at Facebook is still a rebel at heart.