DroidForums.net is the original Verizon Android Forum! Registered Users do not see these ads. Please Register - It's Free!
Results 1 to 10 of 10

Thread: [Security] Faceniff Can HiJack Unencrypted Facebook, Twitter, & YouTube Logins

  1. Editor in Chief
    dgstorm's Avatar
    Member #
    154790
    Join Date
    Dec 2010
    Posts
    6,331
    Liked
    2060 times
    Phone
    Enter Current Phone Model Here
    Premium Member
    #1

    [Security] Faceniff Can HiJack Unencrypted Facebook, Twitter, & YouTube Logins



    Here's a story that we want to be cautious in posting as it could be used to nefarious effect. But, we also felt it was important to inform you guys so that you can be armed with enough knowledge to watch out for this kind of thing. Apparently, there is an app called Faceniff that allows you to login to another person's Twitter, Facebook and YouTube accounts if they login on a shared WiFi network without SSL encryption. This is a serious security issue that people need to be aware of. We aren't going to post any descriptions of how to do it, or links to the app, obviously. One of the easiest ways to avoid this being a problem is to switch to an HTTPS connection on the web services that support it, like Twitter and Facebook. Also, it's not a bad idea to try and be aware of who is around you while you are on a public WiFi. The use of this app is probably illegal in most countries.

    Source: Android.net via PhanDroid
  2.  
     
     
     
  3. Droid Ninja
    johnomaz's Avatar
    Member #
    87119
    Join Date
    Jul 2010
    Location
    Central Valley, California
    Posts
    2,256
    Liked
    397 times
    Phone
    HTC One M8
    #2
    Just tried it myself. Creeptastic. I'm so going to toy with my wife. She finally changed her password after I kept posting on her page...sometimes out of fun, sometimes because she left herself logged in on my desktop. All I can say is muwahahaha.
    -------------------------------
    HTC One M8
    -------------------------------
  4. Droid
    alquimista's Avatar
    Member #
    12027
    Join Date
    Dec 2009
    Posts
    31
    Phone
    Motorola Droid
    #3

    Not open source

    First and foremost, don't be afraid of the big bad wolf. Make sure you always use SSL encrypted connections and you will be totally protected against attacks like this. Check with whatever service you are using and see if there is a HTTPS only option. Or try looking at plug ins like HTTPS Everywhere | Electronic Frontier Foundation from the EFF.

    Now on to the app itself:

    The app is not like Firesheep. It is not in the same spirit as Firesheep. It is not a means to educate the average Joe. It is not a means to show large social network providers like Facebook that they have glaring security holes. It is not open source.

    For the pen testers out there, you know that most reputable POC/educational tools like this come with readily available source code (see: Firesheep or Creepy). If you look on FaceNiff - Facebook (and other services) Session Hijacker for Android you will find no links to code, and no attempt at transparency.

    I strongly caution against buying and or installing this apk for two reasons:
    1. It is simply not transparent enough to trust.
    2. Its not a good way to learn anything.

    Like the good man over at Darknet always say " Don`t Learn to HACK - Hack to LEARN."

    ~ALQI
  5. Master Droid
    kinfolk248's Avatar
    Member #
    67476
    Join Date
    May 2010
    Location
    Jackson, Ms
    Posts
    669
    Liked
    15 times
    Phone
    Gnex
    #4
    idk if this really works or is it just a copout of phonemypc. video is kinda fuzzy, makes a remember that youtube video of the guy saying he had bbm on iphone when of course he was using the sms... makes me wonder about this one now...i wonder...
  6. Master Droid
    joeybarclay's Avatar
    Member #
    83005
    Join Date
    Jun 2010
    Posts
    708
    Liked
    3 times
    Phone
    Galaxy Nexus, Motorola Droid
    #5
    Quote Originally Posted by kinfolk248 View Post
    idk if this really works or is it just a copout of phonemypc. video is kinda fuzzy, makes a remember that youtube video of the guy saying he had bbm on iphone when of course he was using the sms... makes me wonder about this one now...i wonder...
    It works I tried it out but it looks like you only get 3 uses then you have to buy the app.
  7. Master Droid
    Captain Crypto's Avatar
    Member #
    177621
    Join Date
    Mar 2011
    Location
    New Jersey
    Posts
    254
    Liked
    13 times
    Phone
    Samsung Galaxy S4 Developer
    #6
    Excellent post. I do this stuff for a living (risk management/security) and I would NEVER recommend the average Joe/Jane install a tool like this without the source code for review. I plan to move over to PE6 tonight, so I'm going to install this on my OG Droid first and see what happens. If it's not kosher, no harm-no foul since I'm blowing everything away anyway (after a full TiBu/nandroid backup first, of course).

    Quote Originally Posted by alquimista View Post
    First and foremost, don't be afraid of the big bad wolf. Make sure you always use SSL encrypted connections and you will be totally protected against attacks like this. Check with whatever service you are using and see if there is a HTTPS only option. Or try looking at plug ins like HTTPS Everywhere | Electronic Frontier Foundation from the EFF.

    Now on to the app itself:

    The app is not like Firesheep. It is not in the same spirit as Firesheep. It is not a means to educate the average Joe. It is not a means to show large social network providers like Facebook that they have glaring security holes. It is not open source.

    For the pen testers out there, you know that most reputable POC/educational tools like this come with readily available source code (see: Firesheep or Creepy). If you look on FaceNiff - Facebook (and other services) Session Hijacker for Android you will find no links to code, and no attempt at transparency.

    I strongly caution against buying and or installing this apk for two reasons:
    1. It is simply not transparent enough to trust.
    2. Its not a good way to learn anything.

    Like the good man over at Darknet always say " Don`t Learn to HACK - Hack to LEARN."

    ~ALQI
  8. Senior Droid
    Royal2000H's Avatar
    Member #
    4200
    Join Date
    Nov 2009
    Posts
    176
    Phone
    Motorola Droid
    #7
    A tool meant for hacking without ethics...
    Oh, not open source?? Requires root?
    Sure, let me install that!

    A tool that sniffs the network would in fact require root, so that's not bad on it's own. Obviously, the author of this tool doesn't find it bad to sniff out or take people's personal info... still not too bad on it's own. But, it's not open source! Altogether, Bad!

    The guy wrote a program that sniffs other people's info and gives it to you. What's stopping him from stealing all your info for himself??
  9. Senior Droid
    Abadus's Avatar
    Member #
    54268
    Join Date
    Apr 2010
    Posts
    223
    Liked
    3 times
    Phone
    Droid Bionic
    #8
    Quote Originally Posted by Royal2000H View Post
    A tool meant for hacking without ethics...
    Oh, not open source?? Requires root?
    Sure, let me install that!

    A tool that sniffs the network would in fact require root, so that's not bad on it's own. Obviously, the author of this tool doesn't find it bad to sniff out or take people's personal info... still not too bad on it's own. But, it's not open source! Altogether, Bad!

    The guy wrote a program that sniffs other people's info and gives it to you. What's stopping him from stealing all your info for himself??
    Me not installing it?
    Stock Droid Bionic. Lovin' the 4G.

    OG Droid for my son to watch videos on, and not put sticky fingers onto my new phone.
  10. QiG
    QiG is offline
    Droid
    QiG's Avatar
    Member #
    3131
    Join Date
    Nov 2009
    Posts
    94
    Phone
    Motorola Droid A855
    #9
    If it's a suspect piece of software, then I would probably recommend axing this thread so curious members don't download/install it...
  11. Droid Ninja
    Snow02's Avatar
    Member #
    159755
    Join Date
    Jan 2011
    Posts
    1,343
    Liked
    27 times
    Phone
    Droid X
    #10
    This actually works very well. I don't condone mucking in other people's accounts, but the sooner amazon, facebook, etc. use https for all traffic the better.

Links

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Similar Threads

  1. Did Verizon hijack my DX USB connection?
    By dalemccl in forum Droid X General Discussions
    Replies: 8
    Last Post: 05-05-2011, 11:17 AM
  2. No twitter and youtube widgets
    By hpNYR in forum Cyanogenmod
    Replies: 9
    Last Post: 03-24-2011, 11:57 AM
  3. can't get on facebook or twitter
    By yankeebaseball in forum HTC Droid Incredible
    Replies: 0
    Last Post: 11-12-2010, 01:10 PM
  4. How to delete Twitter and youtube...etc
    By jlwardn in forum Motorola Droid
    Replies: 3
    Last Post: 08-26-2010, 11:46 PM

Search tags for this page

facenif

,
faceniff for unrooted
,

faceniff for unrooted android

,
faceniff for unrooted phone
,

faceniff for unrooted phones

,
faceniff on unrooted
,

faceniff source code

,

faceniff unrooted

,
faceniff unrooted phone
,
how does faceniff work
Click on a term to search our site for related topics.
Find us on Google+