Imagine someone got on the loudspeaker at the Denver International Airport and started yelling out over and over again, “my Facebook username is Johnny@gmail.com and my password is jerky123″.
Now the next day when everyone in their mom logged into his account, he would claimed he got hacked. But did he?
Guess what. Every time you are using a public wifi network, password protected or not, you are shouting to the world your username and password to every website you use that is unencrypted.
Right now, as I write this, I am sitting in the denver airport. Its pretty much dead right now. I can see maybe 100 people in the entire terminal.
I just fired up FireFox with the FireSheep extension. Within seconds I have access to various peoples Gmail, Facebook, Yahoo, Hotmail. Amazon, Hotmail, and virtually every possible service known to man.
Keep in mind FireSheep is just a Firefox plugin (Google it) that has been downloaded millions of times. This plugin is totally passive network monitoring at its easiest. Its been pre-programmed to sniff for certain usernames of passwords for pre-defined sites.
There are TONS of tools that will show you a lot more stuff.
As you can see here I accessed someones Facebook account… read some messages. Its great for passing spare time:
Google accounts are just as easy to get into using the brainless Firesheep extension. I don’t ever do anything malicious… Just maybe set people’s search results to Vietnamese or something:
If you are using a public network of any kind, wifi or not, expect many people see everything you are doing.
You didn’t just get hacked. You are yelling to anyone that can hear you your username and passwords.
So how do you become more secure? Well for starters you should always tunnel your traffic through a ssh connection, vpn, or another secure method.
But I know 99.9% of my readers probably don’t know what a VPN is much less will be able to configure one.
So lets start with the basics.
To make your Gmail account secure change this setting:
To make all your Google Searches secure use this – https://www.google.com (I set it as my homepage).
To make your Facebook surfing secure change this setting in your account preferences:
:
Any place you are not using https:// in the front of the url you are at you should expect everyone is watching what you are doing.
Keep in mind this was at a airport where nobody was using computers….
Imagine what I see at a internet conference…..
About the author...
Jeremy Schoemaker – who has written 2424 posts on ShoeMoney.com.
Hi I am Jeremy Schoemaker and ShoeMoney.com is my blog. 99% of the post here are done by me but you will see others occasionally make guest posts. This blog is fun to write but for my day job I run several online companies.
Images provided by ShutterStock
The Accidental Millionaires 
I Am A Recovering Addict of MMORPG Games 
9 Reasons Why Your Online Business Will Fail 
{ 76 comments… read them below or add one }
Hi
What a great article. I will go change my settings
right now.
It just gets worse and worse with identity stealing, just as it did with
viruses and spyware… we’ll probably end up loading a ton of protection software
before we can proceed with our daily tasks…
Keep up this great blog – I love it
cheers
Tina
That’s interesting that you say that because I feel there has been a TON of people sending emails/facebook posts about being hacked. I feel like one girl sends the message out every single month.
Evil evil stuff. This is why I don’t like public networks. If you had larceny in your heart, you’d be dangerous!
BTW you just publicly violated Facebook’s TOS 3.5: “You will not solicit login information or access an account belonging to someone else.”
I won’ t tell….
Wow is it really that easy to do this. I am curious and I am going to give it a try.
Hacking is defined as unauthorized usage. You don’t have authorization to access these people’s accounts. Easy or not you have just admitted to the entire world that you have broken the law and have hacked these people’s accounts.
Yes the passwords and session data are being broadcast in plaintext, but admitting to using them seems a bit crazy. It is 100% illegal.
In computing, a hacker is a person in one of several distinct (but not completely disjoint) communities and subcultures: * A community of enthusiast computer programmers and systems designers, originated in the 1960s around the Massachusetts Institute of Technology (MIT)’s Tech Model Railroad …
en.wikipedia.org/wiki/Hacking_(computing)
Only thing I am curious about is why people are interested in other people facebook profiles etc.
If you learn enough about someone, you can learn their security question answer (hometown, street they grew up on, first pet, etc)
Already using these settings and Google 2 step verification enabled but only thinking to safe my facebook account. Using https but when you have to access any aaplication you have to change back to http. this is something where i have to take care of it
But there are problems with the Facebook secure browsing and certain apps. I’ve outlined it at http://bit.ly/e6p30Z so just beware.
while reading this article my url on the top begins with http:// and not https:// how to avoid this ?
wounder if it should be https:// on all the pages i visit while browsing different website daily.
you are not exposing any personal information such as password or anything important here. so i don’t think every website needs ssl or https to be secured.
Wow thanks for the heads up on that! I consider myself to be very internet savvy and I had no clue this was so easy.
Thanks for the HOT TIPS on hacking peoples accounts!
VPN (Virtual Private Network) for those of you who don’t know how to Google. Thanks, Shoe! 
this is why public wifi scares me
This is hilarious, I constantly amazed how lackadaisical people are with there private information. Hopefully this wakes a few people up !
Thanks so much for sharing this information. I definitely went in and changed all my account settings as soon as I read this. I’ve never felt safe on public wifi networks, but I had no idea it was this easy. I’m a little curious to try this, but it’s also kinda scary that you don’t know who could be watching your every Internet move!
Note that certain applications take you away from https! They do tell you when you click them. What they do NOT tell you: The change your standard setting! So next time you enter facebook, you are back on http! So chech the url regularly, if you want to stay safe!
really helpful
thanks a lot
A definite wake-up call. Thank you, I’ll be adjusting the way I use services.
Facebook’s coming integration to payment solutions makes this issue much more serious for their accounts. Smart sniffers are building up lists of user/pass info now and waiting patiently for when they can do something useful with it.
It is scary what people can find out about you on public wifi, considering it is so easy to protect all that information. I use soke software called Remobo on my laptop that creates a instant private network. Then using a simple proxy server on my home computer I route all the traffic through Remobo to my home proxy. Every thing is then encrypted. Works for me anyways. Better to be safe than have someone get my info.
I was aware of the facebook issue, but appreciate the tips on others. thx
Thank you for the Facebook tip!
public wi fi is only good for catching up on the news. thanks for the tip though.
I feel special I belong to the 0,01%, Shoe, you made my day
Shoe,
Can you explain how you/Firesheep is able to pickup usernames/pws from gmail, amazon, yahoo, and hotmail? When I visit those sites and attempt to login it appears that I’m on an https connection…
Gmail.com: redirects to https sign-in page automatically
Hotmail.com: redirects to https sign-in page automatically
mail.yahoo.com: redirects to https sign-in page automatically
Amazon.com: is http by default, but redirects to https sign-in page if you click “Sign-in”
I was under the “assumption” that sending a user/pass via an https sign-in page was secure. So, I’m curious how you’re picking these up. Perhaps you’re getting people that are cookied, have pws saved in browser, and are just getting auto-logged-in when they visit these sites?
Would be cool if you could shed some light on this b/c I don’t want to be seeing Vietnamese search results or have a goatse Facebook avatar after the next Pubcon. :p
He didn’t get any passwords…he is just a show off…firesheep doesn’t GET the passwords, it hijacks the session cookie between you(the browser) and the site(for example facebook). The cookie DOESN’T CONTAIN THE PASSWORD… so please Shoe, explain to me how did you get the password using firesheep
Can the session cookie still be hijacked if your user/pass was entered on an https page (does https matter here)?
lol.. I haven’t heard the term goatse mentioned for years. You certainly wouldn’t want someone throwing that up on your profile.
yea I’ve seen firesheep and it’s power is crazy.
OMG, I am sooo changing everyone’s search results to Hindi or Chinese tomorrow
WOW!! No Way. Totally cool ShoeMoney. Thanks again for sharing your skills to pay the bills.
TEddy
Wow – Never even really put any thought into this issue before. Although I don’t access a lot of public wifi hotspots often, this is helpful in the future (considering more and more locations are getting wifi – it’s nearly everywhere these days).
On another note, I bet you had a heyday passing time this way, eh?
Hacking is illegal. I would remove this post right away as you have admitted on a public blog to hacking other peoples accounts. You are making the problem worse by telling others how to replicate the hack.
An irresponsible post.
Thank you so much for this very helpful information you got here.
This is a great post Shoe and something that would save people like myself that forgets about this security issue sometimes. Especially as an internet marketer you always wan’t your privacy and internet connection secure and free from prying eyes and hackers.
Ok, so I can thank you for hacking my account? no, just kidding.
I’ve done this before! But this was good reminder. Had to double check.
You said
“Just maybe set people’s search results to Vietnamese or something”
Wondering why you felt the need to do anything at all? That little prank might be a big deal for a newbie that may lose hours of productive time trying to figure out what the hell happened.
Just because you can, doesn’t mean you should.
Great reminder and article. We develop a false sense of safety and security. I’d never heard of that plug in either. Will make me think twice over public networks. Thanks.
Does this means security browser has the impact, and Fb server not protected as well?
I didnt have a clue it was that easy! Definitely time to change my settings.
Thanks
GREAT post I keep way too much info in gmail for it to be that easy to crack
Is this really possible.
Using wifi seems to be risky then.
Not for nothing but yes it is stupid to log into public networks with key information. That said you opening those people’s profiles and emails that are not yours is most certainly hacking. You could have written this same article without breaching people’s privacy. I have to say I have been following you a long time and found this pretty surprising.
thanks a bunch! that surely changes things.
Thank you for these tips, but it’s not enought to protect our accounts..
Wow, you can never be too careful!
Pretty nifty tool.
I was looking for where to browse with https in Google and couldn’t find it …
Hey, i would like to tell you thanks for giving us that very informative blog post. it is absolutely a to some extent interesting page.
Just found your website last night and I got to say LOVE It. keep up the great work right now iam going to go get firesheep.
Jeremy,
I’m surprised at how few people know about this.
Once I learned about it, I added the ability to make my cell phone a wifi 4G hot spot and never use public wifi’s at airports (and even hotels) to connect to the internet.
I can only imagine what you can find at Internet conferences!
Brian
make sure is is encryped and locked otherwise its no diffrent from public
If you want to help protect yourself against Firesheep go and download Blacksheep from Zscaler. It will detect if someone is tryng to hack you using Firesheep. Also follow the advice above. In addition to Facebook and Google I’d recommend setting your Twitter profile to use https as well.
This is like so fuckin’ noob…If I use something like BACKTRACk, there’s no way you’re gonna protect yourself and agian backtrack is just the beginning! Hacking tools we linux pros develop are 1000 times better than that stupid firefox plugin!
Yeah shure – theare many ways around this, not only the plugin, also there is a vpn you can buy, so your whole traffic is encrypthed, if you are in affiliate marketing, it can safe you lots of money to buy one of these
Does it work when the victim is in a different other than my network? If yes, then it’s ok. But if it doesn’t work then what should I do to hack that victim’s password?
A very helpful article, thanks!
lmao i just downloaded it! Thats funny
please hacked this account.,jowjow_obligar@yahoo.com..for my safety.tnx
omg that’s my facebook
AMGD.JMBG
So there are other ways tohack facebook lol I hope u all know that
Outstanding – I ought to certainly pronounce, impressed with your site. I had no difficulty navigating by indicates all the tabs also as linked info ended up being genuinely simple to accomplish to accessibility. I lately discovered what I hoped for ahead of you understand it whatsoever.
It is so easy indeed to hack into some accounts….
Is it bad if I want to download the firefox plugin to snoop around
I am guilty of being careless with my connections and this was a big wake up call.
Major food for thought here……. Thanks you very much Jeremy for bringing this to our attention. I spend a lot of time in public places on wifi and I cringe at the thought that someone has been “watching” me? Just changed both my Facebook and Gmail settings as instructed. Feel a bit better now. Would there be any other things people could get access to this way? Such as internet banking?
Why would anyone care about their Facebook account being hacked? What have you got hidden there? What your lame friends are saying about their noneventful lives? Hack away…
I try to keep away from public networks whenever possible but didn’t realise it was that easy for my details to be given to all and sundry.
Thanks for the info – it’s actually pathetic that we have to live our lives worrying about this sort of crap.
taaaaaaaaaaaaaaaaaaaaaaaaaaaa
taaaaaaaaaaaaaaaaaaaaaaaaaaaa
My fb account got hacked, what can I do to get it back?
Oh man… I had no idea that this was even available. I have always wondered how people were able to hack accounts. This can be pretty scary.
hacking-facebook.com premium
wow thank you for posting this i have learned lot of things ….
if you need money join here
http://www.clixsense.com/?3829618