In 2010, Eric Butler released a Firefox add-on called Firesheep. Firesheep demonstrated how dangerous unencrypted session cookies can be and how easy it is to hijack accounts that use unencrypted session cookies, which at that time was virtually everyone except your bank and newer Gmail accounts. By default, Facebook, Amazon, The New York Times, Yahoo Mail, Hotmail and most other places used unencrypted session cookies.
In response to the heightened awareness of the problem, Facebook made changes that allow users to have sessions that use SSL for the entire session. That means that nobody is going to hijack your Facebook session as long as you have enabled the SSL (https) connection and keep it enabled. The fly in the ointment is that Facebook application developers, in general, understand frivolity, but not security so much.
In most cases, if you use a Facebook app you are required to switch to an http connection, and this puts your account at risk if you are using an unsecured Wi-Fi connection. This includes connections at most coffee shops, airports, convention centers, hotels, visitor networks that private companies host, and many home wireless access points that are left unsecured.
It is up to the application developers to write applications that work with SSL. This is not an impossible task. A very popular Facebook app is called “Causes.” Causes has more than 18 million monthly users and does not require users to switch to an unsafe, unencrypted session.
Enter Zynga. Zynga is the developer of CityVille (89.9 monthly users), FarmVille (47.2 million monthly users), Texas HoldEM Poker (36.9 million monthly users) and other popular apps. According to AppData.com, Zynga has about 255 million users and I will bet that ALL of Zynga’s apps require an unecrypted connection.
This just makes it too easy for cybercriminals. Interestingly, the Badoo dating app that boasts 63 million monthly users does not require users to lower their security. Zynga isn’t the only developer with development processes that are so helpful to cybercriminals, but as a leader they should be setting an example. I am fairly confident that Microsoft will be seeing to it that the Windows Live Messenger Facebook app (18 million users) gets fixed. Currently the Windows Live Messenger Facebook app requires users to stop using SSL for their Facebook session.