I have been trying to decide how to present this without encouraging the behavior I describe here. I have decided not to name the product I describe. Many who follow this blog already know the name of the free download I am describing, but I think I can spread the alarm without adding to the problem.
Be aware that in any location with open wifi, others sitting in the same location can steal cookies sent by your computer to the Internet. Among the different functions a cookie serves, a cookie allows your computer to stay connected to a site that requires a name and password login. You do not have to login for each page you view. However, cookies are basically sent through “the air” and can be captured. I picked up the cookies in the image below in 5 minutes in the coffee shop across the street from my office.
I could click on one of these icons and I login as that person.
What to do?
1) I showed the manager.
2) Be aware of any wifi that does not require you to login. As I understand the situation (via Leo Laporte and This Week in Google), everyone can be given the login name and password for a protected wifi system and no one could do what I have just done. Use WPA encryption. In other words, the name and password can be given to everyone. Hence, Starbucks could use Starbuck and Starbuck and post this information prominently. It is not the password that provides the protection but the way the encryption works to isolate users. I hope this is correct because it would certainly be a practical solution – I listened to the Security Now podcast to verify, but I have also found a little different story online.
3) https is protected, but I would think the danger would be present for those who use the same name and password on other http and https accounts. I am guessing here, but this would seem to be possible.
I have viewed stories regarding measures that may thwart this security problem or at least alert you that someone is running the software within the vicinity. I cannot vouch for these measures. I may post again to reveal more later, but this is obviously a real danger for those of us who frequent coffee shops and other locations with open wifi.
You must be logged in to post a comment.