Known as Firesheep, the add-in is creating something of a storm in security forums, as, whilst the problem of cookie interception on public WiFi hot spots has been known about for some time, the creation of the add-in opens up cookie harvesting for anyone using the Firefox browser, Infosecurity notes.
The reason for the fuss is that, whilst company remote access systems use a VPN and banking sites etc., using secure sockets layer (SSL) IP sessions - typically using an https:// address - many social networking sites use cookies and IP addresses to identify recently disconnected users.
This means that a Firesheep user on a public access WiFi hotspot can harvest other hotspot users' online sessions, and then effectively auto-login as that person, Infosecurity notes.
Reports on Twitter suggest that large numbers of internet users are now employing Firesheep to piggyback on other users Facebook, MySpace and Twitter sessions. Many other sites are reportedly susceptible to this form of hacking, which is known as sidejacking.
Reporting on the issue, Panda Security's head of security research Luis Corrons says that this particular sidejacking technique - including the Firesheep add-in - was shown at security conference by Eric Butler and a colleague last weekend, with a slide presentation that explains the methodology.
"Don't panic", says Corrons. "Yes, this is bad, but there are some countermeasures to take. The best solution would be to use SSL encryption in all communications, but this has to be supported in the server side, so that won't be happening (at least massively) anytime soon."
"Meanwhile, you should use [a package called] HTTPS Everywhere, which will force to use https when connecting to some mayor websites, such as Twitter or Facebook", he said.
"But the best solution right now if you are connecting through an open WiFi, is using a VPN. If you cannot, at least use HTTPS Everywhere", he added.