[Security] Faceniff Can HiJack Unencrypted Facebook, Twitter, & YouTube Logins

dgstorm

Editor in Chief
Staff member
Premium Member
Joined
Dec 30, 2010
Messages
10,991
Reaction score
3,961
Location
Austin, TX
[video=youtube;3bgwVM7t_s4]http://www.youtube.com/watch?v=3bgwVM7t_s4&feature=player_detailpage]YouTube - ‪FaceNiff for Android on LG Swift 2X‬‏[/video]

Here's a story that we want to be cautious in posting as it could be used to nefarious effect. But, we also felt it was important to inform you guys so that you can be armed with enough knowledge to watch out for this kind of thing. Apparently, there is an app called Faceniff that allows you to login to another person's Twitter, Facebook and YouTube accounts if they login on a shared WiFi network without SSL encryption. This is a serious security issue that people need to be aware of. We aren't going to post any descriptions of how to do it, or links to the app, obviously. One of the easiest ways to avoid this being a problem is to switch to an HTTPS connection on the web services that support it, like Twitter and Facebook. Also, it's not a bad idea to try and be aware of who is around you while you are on a public WiFi. The use of this app is probably illegal in most countries.

Source: Android.net via PhanDroid
 
Just tried it myself. Creeptastic. I'm so going to toy with my wife. She finally changed her password after I kept posting on her page...sometimes out of fun, sometimes because she left herself logged in on my desktop. All I can say is muwahahaha.
 
Not open source

First and foremost, don't be afraid of the big bad wolf. Make sure you always use SSL encrypted connections and you will be totally protected against attacks like this. Check with whatever service you are using and see if there is a HTTPS only option. Or try looking at plug ins like HTTPS Everywhere | Electronic Frontier Foundation from the EFF.

Now on to the app itself:

The app is not like Firesheep. It is not in the same spirit as Firesheep. It is not a means to educate the average Joe. It is not a means to show large social network providers like Facebook that they have glaring security holes. It is not open source.

For the pen testers out there, you know that most reputable POC/educational tools like this come with readily available source code (see: Firesheep or Creepy). If you look on FaceNiff - Facebook (and other services) Session Hijacker for Android you will find no links to code, and no attempt at transparency.

I strongly caution against buying and or installing this apk for two reasons:
1. It is simply not transparent enough to trust.
2. Its not a good way to learn anything.

Like the good man over at Darknet always say " Don`t Learn to HACK - Hack to LEARN."

~ALQI
 
idk if this really works or is it just a copout of phonemypc. video is kinda fuzzy, makes a remember that youtube video of the guy saying he had bbm on iphone when of course he was using the sms... makes me wonder about this one now...i wonder...
 
idk if this really works or is it just a copout of phonemypc. video is kinda fuzzy, makes a remember that youtube video of the guy saying he had bbm on iphone when of course he was using the sms... makes me wonder about this one now...i wonder...

It works I tried it out but it looks like you only get 3 uses then you have to buy the app.
 
Excellent post. I do this stuff for a living (risk management/security) and I would NEVER recommend the average Joe/Jane install a tool like this without the source code for review. I plan to move over to PE6 tonight, so I'm going to install this on my OG Droid first and see what happens. If it's not kosher, no harm-no foul since I'm blowing everything away anyway (after a full TiBu/nandroid backup first, of course).

First and foremost, don't be afraid of the big bad wolf. Make sure you always use SSL encrypted connections and you will be totally protected against attacks like this. Check with whatever service you are using and see if there is a HTTPS only option. Or try looking at plug ins like HTTPS Everywhere | Electronic Frontier Foundation from the EFF.

Now on to the app itself:

The app is not like Firesheep. It is not in the same spirit as Firesheep. It is not a means to educate the average Joe. It is not a means to show large social network providers like Facebook that they have glaring security holes. It is not open source.

For the pen testers out there, you know that most reputable POC/educational tools like this come with readily available source code (see: Firesheep or Creepy). If you look on FaceNiff - Facebook (and other services) Session Hijacker for Android you will find no links to code, and no attempt at transparency.

I strongly caution against buying and or installing this apk for two reasons:
1. It is simply not transparent enough to trust.
2. Its not a good way to learn anything.

Like the good man over at Darknet always say " Don`t Learn to HACK - Hack to LEARN."

~ALQI
 
A tool meant for hacking without ethics...
Oh, not open source?? Requires root?
Sure, let me install that!

A tool that sniffs the network would in fact require root, so that's not bad on it's own. Obviously, the author of this tool doesn't find it bad to sniff out or take people's personal info... still not too bad on it's own. But, it's not open source! Altogether, Bad!

The guy wrote a program that sniffs other people's info and gives it to you. What's stopping him from stealing all your info for himself??
 
A tool meant for hacking without ethics...
Oh, not open source?? Requires root?
Sure, let me install that!

A tool that sniffs the network would in fact require root, so that's not bad on it's own. Obviously, the author of this tool doesn't find it bad to sniff out or take people's personal info... still not too bad on it's own. But, it's not open source! Altogether, Bad!

The guy wrote a program that sniffs other people's info and gives it to you. What's stopping him from stealing all your info for himself??

Me not installing it? :D
 
If it's a suspect piece of software, then I would probably recommend axing this thread so curious members don't download/install it...
 
This actually works very well. I don't condone mucking in other people's accounts, but the sooner amazon, facebook, etc. use https for all traffic the better.
 
Back
Top