A nasty security flaw that let anyone on a shared network hijack your Facebook account is finally being fixed.
The breach was identified last October when software developer Eric Butler released a free Firefox extension called Firesheep, reportedly to bring this problem to light. With Firesheep, anyone can browse the activity of other people on the same Wi-Fi network – at your favorite coffee shop, for example -- and even read and write to their accounts. What’s more, using Firesheep doesn’t take any particular skill – it’s a simple point-and-click operation.
Facebook isn’t the only site affected. Amazon, Foursquare, Twitter and Wordpress are also vulnerable, among others. And while Firesheep targets particular web addresses, hackers could use the same technique to intrude on other sites. Only unsecured web browsing is vulnerable to this security flaw—in other words, sites you access via “http” addresses, not “https” addresses, which are encrypted. Product pages at Amazon, for example, are unsecured, but when you log in to your account there, it automatically switches to a secured connection.
Facebook didn’t provide the https option, though, and there was no way for users to enable it themselves. This change is now being implemented. Facebook will start offering a secure connection, but you have to request it. They could (and should) have made it the default choice, but so far, haven’t taken that step.
To enable encrytion for Facebook, go to Account Settings, and under Account Security check the box that says “Browse Facebook on a secure connection (https).” This feature is not yet available on all accounts. Facebook says it will be rolling out the https option to all users over the next few weeks.
Of course, even when this fix is widely available, it doesn’t eliminate the underlying problem. When you’re surfing the web on a shared network, if the web address doesn’t start with “https,” it’s possible someone could be looking over your shoulder.