Twitter and Facebook hacker defends Firesheep

The hacker who created the Firesheep tool which showed Twitter and Facebook users how insecure they were has defended its release to the great unwashed.

Eric Butler, a freelance web application and software developer based in Seattle, developed the Firesheep tool as an add-on for the Firefox web browser and it allows even idiots to break into the online accounts of people using unsecured Wi-Fi.

Writing in his bog Butler said that some had questioned the legality of the tool.

However, he said that it was “nobody’s business telling you what software you can or cannot run on your own computer… like any tool, Firesheep can be used for many things.”

Butler said that in addition to raising awareness, it has already proven very useful for people who want to test their own security as well as the security of their (consenting) friends.

He said that many cafes and hotels leave their Wi-Fi unsecured so that users don’t need to put in a password to access it.

Hit by the hack was PayPal’s own mobile payments iPhone app which has since been patched in a software update.

What the software highlighted was the fact that Facebook only used the encryption when punters first log-in to it, to protect your username and password from leaking. It then controlled a session using an unencrypted cookie. It was this cookie that Firesheep was snuffling.

Apparently the social notworking site is looking at adopting a totally encrypted system.