TORONTO - Think twice before logging into Facebook with free WiFi access -- unless you don't mind snoopers reading and potentially altering your profile.
A software developer is hoping to educate users about the dangers of using unsecured WiFi networks with a computer program that makes it fairly easy for anyone to hack into Facebook and Twitter accounts.
With a download of Firesheep, a plug-in for Mozilla's FireFox web browser, all it takes is patience and a couple clicks to access someone's profile on a variety of websites, also including the photo-sharing site Flickr and the Wordpress blogging platform.
The program sniffs out log ons over the network and easily connects Firesheep users with those accounts.
"Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web," wrote Seattle-based Eric Butler in a blog post explaining his program.
Butler, who declined interview requests, said that not all websites are vulnerable to Firesheep, but too many sites aren't secure enough to thwart hackers. While typed-in login information may be protected, the user-identifying information in cookies -- small text files that websites access on a user's computer -- are not.
"On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy," Butler wrote.
"The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL."
In just over 24 hours, Firesheep was downloaded more than 129,000 times. Among its users is Ian Robertson, an IT professional in Ottawa who took his laptop to a couple of local coffee shops to give the program a test drive with a colleague.
"I was able to see about half a dozen accounts on Facebook and was able to actually log into their accounts, view all their photos, all their private information, their phone numbers -- anything," said Robertson.
"Just for a test with one of my colleagues I logged into his profile and I was able to change his status to single. And within about 10 minutes his girlfriend commented and said, 'Why??"'
Robertson said he was surprised how easy it was to use and was concerned that others might download it for far more malicious purposes than he did.
"You feel kind of powerful, I guess, like you could just go in there and spam away if you wanted to," he said.
Butler probably should've sent out an initial warning about his program first, rather than just unleashing it to the world and leaving users open to exploits, Robertson said.
"He did it to raise awareness of the vulnerabilities of these sites ... but he should've done like some hackers in the past where they ... gave a (warning)."
In Butler's defence, the vulnerability has long existed for more-sophisticated hackers who wanted to grab data from open WiFi networks, Robertson said. It's just that it can now be done by anyone.
He hopes Butler's program forces web administrators to finally act.
"Will they fix it? They have to now that this is in the open."
To protect against getting hacked while using open WiFi, Butler recommends another FireFox plug-in called HTTPS-Everywhere, created by the Electronic Frontier Foundation. It protects against data leaking out while using sites like Facebook, Twitter, Amazon, Wordpress.com blogs and PayPal.
A spokesperson from Facebook was not immediately available for comment.
