Unskilled hackers at your local coffee shop can gain complete access to your Facebook account as well as other online services with a simple mouse click.  Fixing the problem is easy but many people haven’t implemented it, surfing away completely unaware of how vulnerable they may be to a cyber intrusion.

Public hotspots are essentially mini broadcast towers transmitting radio signals to your computer. Like a radio, every computer connected to the hot spot has access to everything being transmitted. Your computer only looks for data “packets” that are specifically addressed to it.

Facebook and most other websites work by initially requiring a password to log in. Following the password submission, Facebook’s server sends back a file called a “cookie.” Once the cookie is on your system, Facebook no longer needs the password while navigating the site.

But — when using that coffee shop’s WIFI, your Facebook cookie also is transmitted in the air to every computer connected to shop’s hotspot. “Law abiding” computers and their users simply ignore packets of information that are not specifically directed to them. But it is possible, using very simple software available as a browser plugin, to “listen” for other people’s cookies and download the files. Since Facebook has no way of telling the difference between computers coming from the same location, anyone can assume your Facebook identity. A simple double-click is all it takes to assume another customer’s online identity.

Watch a video demonstrating the problem:

YouTube video

If that’s not scary enough, once your Facebook account has been compromised, the hacker also has access to all the other sites you may access through the Facebook interface. Hundreds of sites now accept a Facebook login instead of a separate username and password. One of those is Yahoo Mail, and we were able to log into our mail account with just the Facebook cookie we grabbed out of the air. This trick works with more than just Facebook. Hackers can view your previous Amazon purchases, and even take over a WordPress blog.

Fixing this problem doesn’t take much effort. In fact operators of public hotspots could address the vulnerability altogether by securing their services with WPA wireless encryption and a password. Even a WPA password as simple as “12345” would create individual secure “tunnels” for users on the network and would prevent a hacker’s ability to swipe cookies out of the air.

Until then, fixing Facebook is as simple as turning on secure browsing in the security section of your account settings page. If you’re not secured, Facebook may pop up a warning message from time to time with instructions as to how to secure your account.

Facebook is not the only service vulnerable to this hack. If you have to use a public hotspot, only use websites that allow you to browse securely. Secure sites always begin with https:// in your address bar, rather than http://.

Some sites already have taken steps to secure themselves and their users. Google’s email service now defaults all users to a secure connection. Facebook says they are working toward making the feature mandatory, but will require users to opt-in for the more secure service for the time being. Enabling encryption requires more server resources be made available for each user, and when multiplying that demand by hundreds of millions of users, it can be a major (and expensive) infrastructure upgrade.

“It is far from a simple task to build out this capability for the more than three-quarters of a billion people that use the site and retain the stability and speed we expect, but we are making progress daily toward this end,” the company said in statement.

CTTechJunkie has reached out to a number of establishments to find out why they have not enabled local encryption on their hotspots.  None have returned our calls or emails at the time of this post.

Good security practices go beyond just the local coffee shop, however. You should also secure yourself at home by ensuring your home wireless is enabled with WPA or WPA2 encryption. A neighbor or anyone in vicinity of an unsecured access point in your home can run this same hack to access your personal information. When you’re away from home, think about tethering to your cellphone for Internet access and avoiding unencrypted public hotspots. If your cellphone uses WiFi to share its signal, be sure to secure that with WPA encryption too.

Have questions?  We’ll answer them here and on our Facebook page

Creative Commons credits from the video:

Lon Seidman is the host and producer of “Lon.TV,” a consumer technology video show that is on a number of platforms including YouTube and Amazon. He creates in-depth, consumer-friendly product reviews and commentary. His YouTube channel has over 300,000 subscribers and more than 100 million views.

In addition to being a full-time content creator, Lon is an adjunct faculty member at the University of Hartford (his alma mater) where he teaches a course in entrepreneurial content creation.

Prior to becoming a full-time creator, Lon was a partner at The Safety Zone, his family’s business that manufactures gloves and safety equipment. The company has locations around the globe and employs over 200 people worldwide. The Safety Zone was acquired by the Genuine Parts Corporation in 2016.

Lon is also active in public service, serving as the Chairman of the Essex Board of Education, a member of the Region 4 Board of Education, and as the Secretary / Treasurer of the Connecticut Association of Boards of Education. He was endorsed by both Democrats and Republicans for his re-election in 2021.

The views, opinions, positions, or strategies expressed by the author are theirs alone, and do not necessarily reflect the views, opinions, or positions of CTNewsJunkie.com.