1. You want that $100.00 in your pocket or an Amazon Fire TV don't you? Well here's the deal. With our new updated look we are in desperate need of an updated logo. The 'old' one has certainly served us well, but it's time. Find all the details here: bit.ly/1q0k6Wa
  2. DroidForums.net is currently undergoing a major software upgrade. If you are experiencing any problems logging in please: Contact Us

[Security] Faceniff Can HiJack Unencrypted Facebook, Twitter, & YouTube Logins

Discussion in 'Android News' started by dgstorm, Jun 2, 2011.

  1. dgstorm
    Offline

    dgstorm Editor in Chief Staff Member Premium Member

    Joined:
    Dec 30, 2010
    Messages:
    6,762
    Likes Received:
    1,144
    Trophy Points:
    113
    Location:
    Austin, TX


    Here's a story that we want to be cautious in posting as it could be used to nefarious effect. But, we also felt it was important to inform you guys so that you can be armed with enough knowledge to watch out for this kind of thing. Apparently, there is an app called Faceniff that allows you to login to another person's Twitter, Facebook and YouTube accounts if they login on a shared WiFi network without SSL encryption. This is a serious security issue that people need to be aware of. We aren't going to post any descriptions of how to do it, or links to the app, obviously. One of the easiest ways to avoid this being a problem is to switch to an HTTPS connection on the web services that support it, like Twitter and Facebook. Also, it's not a bad idea to try and be aware of who is around you while you are on a public WiFi. The use of this app is probably illegal in most countries.

    Source: Android.net via PhanDroid
  2. johnomaz
    Offline

    johnomaz Well-Known Member

    Joined:
    Jul 12, 2010
    Messages:
    2,353
    Likes Received:
    199
    Trophy Points:
    63
    Location:
    Central Valley, California
    Just tried it myself. Creeptastic. I'm so going to toy with my wife. She finally changed her password after I kept posting on her page...sometimes out of fun, sometimes because she left herself logged in on my desktop. All I can say is muwahahaha.
  3. alquimista
    Offline

    alquimista New Member

    Joined:
    Dec 5, 2009
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    0
    Not open source

    First and foremost, don't be afraid of the big bad wolf. Make sure you always use SSL encrypted connections and you will be totally protected against attacks like this. Check with whatever service you are using and see if there is a HTTPS only option. Or try looking at plug ins like HTTPS Everywhere | Electronic Frontier Foundation from the EFF.

    Now on to the app itself:

    The app is not like Firesheep. It is not in the same spirit as Firesheep. It is not a means to educate the average Joe. It is not a means to show large social network providers like Facebook that they have glaring security holes. It is not open source.

    For the pen testers out there, you know that most reputable POC/educational tools like this come with readily available source code (see: Firesheep or Creepy). If you look on FaceNiff - Facebook (and other services) Session Hijacker for Android you will find no links to code, and no attempt at transparency.

    I strongly caution against buying and or installing this apk for two reasons:
    1. It is simply not transparent enough to trust.
    2. Its not a good way to learn anything.

    Like the good man over at Darknet always say " Don`t Learn to HACK - Hack to LEARN."

    ~ALQI
  4. kinfolk248
    Offline

    kinfolk248 New Member

    Joined:
    May 11, 2010
    Messages:
    663
    Likes Received:
    9
    Trophy Points:
    0
    Location:
    Jackson, Ms
    idk if this really works or is it just a copout of phonemypc. video is kinda fuzzy, makes a remember that youtube video of the guy saying he had bbm on iphone when of course he was using the sms... makes me wonder about this one now...i wonder...
  5. joeybarclay
    Offline

    joeybarclay New Member

    Joined:
    Jun 30, 2010
    Messages:
    708
    Likes Received:
    1
    Trophy Points:
    0
    It works I tried it out but it looks like you only get 3 uses then you have to buy the app.
  6. Captain Crypto
    Offline

    Captain Crypto New Member

    Joined:
    Mar 8, 2011
    Messages:
    254
    Likes Received:
    3
    Trophy Points:
    0
    Location:
    New Jersey
    Excellent post. I do this stuff for a living (risk management/security) and I would NEVER recommend the average Joe/Jane install a tool like this without the source code for review. I plan to move over to PE6 tonight, so I'm going to install this on my OG Droid first and see what happens. If it's not kosher, no harm-no foul since I'm blowing everything away anyway (after a full TiBu/nandroid backup first, of course).

  7. Royal2000H
    Offline

    Royal2000H New Member

    Joined:
    Nov 13, 2009
    Messages:
    176
    Likes Received:
    0
    Trophy Points:
    0
    A tool meant for hacking without ethics...
    Oh, not open source?? Requires root?
    Sure, let me install that!

    A tool that sniffs the network would in fact require root, so that's not bad on it's own. Obviously, the author of this tool doesn't find it bad to sniff out or take people's personal info... still not too bad on it's own. But, it's not open source! Altogether, Bad!

    The guy wrote a program that sniffs other people's info and gives it to you. What's stopping him from stealing all your info for himself??
  8. Abadus
    Offline

    Abadus New Member

    Joined:
    Apr 2, 2010
    Messages:
    221
    Likes Received:
    2
    Trophy Points:
    0
    Me not installing it? :D
  9. QiG
    Offline

    QiG New Member

    Joined:
    Nov 11, 2009
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    0
    If it's a suspect piece of software, then I would probably recommend axing this thread so curious members don't download/install it...
  10. Snow02
    Offline

    Snow02 New Member

    Joined:
    Jan 12, 2011
    Messages:
    1,342
    Likes Received:
    9
    Trophy Points:
    0
    This actually works very well. I don't condone mucking in other people's accounts, but the sooner amazon, facebook, etc. use https for all traffic the better.
Search tags for this page
faceniff apk motorola razr
,
faceniff app for unrooted phone
,

faceniff for unrooted android

,
faceniff for unrooted phone
,

faceniff for unrooted phones

,
faceniff free app for unrooted androids
,
faceniff full version apk
,
faceniff non rooted
,
faceniff pro fr non rooted
,

faceniff source code

,
faceniff unroot
,

faceniff unrooted

,

faceniff unrooted phone

,
facesniff droid x
,
facesniff unrooted