‘Around half an hour later, I’d collected somewhere between 20 and 40 identities. . . .I decided to send the users messages from their own accounts to warn them of their accounts’ exposure. I drafted a friendly, generic message that stated the location of the Starbucks, what the vulnerability was, and how to avoid it. I sent messages to around 20 people.’
Not a lot I can add here, please go read the original posts. It’s some fairly hair-raising stuff.
Addendum and further explanation at “Herding Firesheep: An Addendum“, Technology Sufficiently Advanced, November 4 2010. Original article repeated on CNNMoney, “Herding Firesheep in New York City“, December 16 2010.
I originally heard about this from Bruce Schneier’s July Cryptogram newsletter. I really recommend Schneier’s writings. While he sometimes gets into minute details, he always emphasizes that security starts with the user first.
LosHuertos pointed out the same thing in his blog post too; of the 20 people whose Facebook accounts he was able to sidejack and send them a warning message to them from their own account, four continued to ignore him. He could look at their account page, see that yes, the message that they were using an unsafe connection had been received, yet they continued to keep Facebook running in the background while they looked at other webpages too.
(If you haven’t read the article, Facebook keeps track of what else you are browsing on the internet while you have Facebook open. All that information is forwarded to Facebook servers over the network in unencrypted form. So the writer was able not only to see other users’ Facebook pages and send messages from those Facebook accounts but he was also able to see what other websites & specific web pages they were browsing.)