Firesheep Vigilante Warns Exposed Users by Messaging Them With Their Own Facebook Accounts

We may earn a commission from links on this page.

You might question his methods, but New York software engineer Gary LosHuertos wanted to warn his fellow Starbucks customers that their browsing data was open to the world, thanks to Firesheep. So he hijacked their accounts to prove it.

Gary sat, idling with a cup of coffee, until he had collected around 40 Facebook logins with Firesheep—people clearly unaware that such snooping was possible. So, rather than exploiting this access (and perhaps reading their juicy personal message), Gary logged into each account and sent a warning message from every user to their own account, explaining what was going on and why their were at risk.

What happened next? Gary heard one guy cursed, but the place stayed silent. And then the Facebook logins started to drop off. Success, right? The message had gotten through? Except for several users who, despite having read Gary's message (he logged into their accounts again to check) continued to poke and browse away on Facebook. To really make the issue vivid, Gary (and again, ethical grey areas ahoy!) logged into one of these user's Amazon accounts, found something they had recently looked at, and then talked about that in a new message. And still. Nothing.


So, he took one last stab at it. One last message, sent from within each of the four oblivious users' Facebook accounts:

Really wasn't kidding about the insecurity thing. I won't send another message after this — it's up to you to take your security seriously. You're at the [XYZ Street] Starbucks on an insecure connection, and absolutely anyone here can access your account with the right (free) tool.

Twenty minutes later, they were all still on. Indifference? Ignorance? Some combination of the two? Too creeped out to take any action at all? Clearly the Firesheep problem isn't a purely technical one. [Gary LosHuertos via Reddit]