[Security] Faceniff Can HiJack Unencrypted Facebook, Twitter, & YouTube Logins

dgstorm

dgstorm

Editor in Chief
Staff member
Premium Member
Joined
Dec 30, 2010
Messages
10,991
Reaction score
3,961
Location
Austin, TX
[video=youtube;3bgwVM7t_s4]http://www.youtube.com/watch?v=3bgwVM7t_s4&feature=player_detailpage]YouTube - ‪FaceNiff for Android on LG Swift 2X‬‏[/video]

Here's a story that we want to be cautious in posting as it could be used to nefarious effect. But, we also felt it was important to inform you guys so that you can be armed with enough knowledge to watch out for this kind of thing. Apparently, there is an app called Faceniff that allows you to login to another person's Twitter, Facebook and YouTube accounts if they login on a shared WiFi network without SSL encryption. This is a serious security issue that people need to be aware of. We aren't going to post any descriptions of how to do it, or links to the app, obviously. One of the easiest ways to avoid this being a problem is to switch to an HTTPS connection on the web services that support it, like Twitter and Facebook. Also, it's not a bad idea to try and be aware of who is around you while you are on a public WiFi. The use of this app is probably illegal in most countries.

Source: Android.net via PhanDroid
 
johnomaz

johnomaz

Silver Member
Joined
Jul 12, 2010
Messages
3,187
Reaction score
633
Location
Central Valley, California
Current Phone Model
Google Pixel 2XL
Just tried it myself. Creeptastic. I'm so going to toy with my wife. She finally changed her password after I kept posting on her page...sometimes out of fun, sometimes because she left herself logged in on my desktop. All I can say is muwahahaha.
 
alquimista

alquimista

Member
Joined
Dec 5, 2009
Messages
31
Reaction score
0
Not open source

First and foremost, don't be afraid of the big bad wolf. Make sure you always use SSL encrypted connections and you will be totally protected against attacks like this. Check with whatever service you are using and see if there is a HTTPS only option. Or try looking at plug ins like HTTPS Everywhere | Electronic Frontier Foundation from the EFF.

Now on to the app itself:

The app is not like Firesheep. It is not in the same spirit as Firesheep. It is not a means to educate the average Joe. It is not a means to show large social network providers like Facebook that they have glaring security holes. It is not open source.

For the pen testers out there, you know that most reputable POC/educational tools like this come with readily available source code (see: Firesheep or Creepy). If you look on FaceNiff - Facebook (and other services) Session Hijacker for Android you will find no links to code, and no attempt at transparency.

I strongly caution against buying and or installing this apk for two reasons:
1. It is simply not transparent enough to trust.
2. Its not a good way to learn anything.

Like the good man over at Darknet always say " Don`t Learn to HACK - Hack to LEARN."

~ALQI
 
K

kinfolk248

Active Member
Joined
May 11, 2010
Messages
993
Reaction score
105
Location
Jackson, Ms
idk if this really works or is it just a copout of phonemypc. video is kinda fuzzy, makes a remember that youtube video of the guy saying he had bbm on iphone when of course he was using the sms... makes me wonder about this one now...i wonder...
 
joeybarclay

joeybarclay

Member
Joined
Jun 30, 2010
Messages
703
Reaction score
1
kinfolk248 said:
idk if this really works or is it just a copout of phonemypc. video is kinda fuzzy, makes a remember that youtube video of the guy saying he had bbm on iphone when of course he was using the sms... makes me wonder about this one now...i wonder...
Click to expand...

It works I tried it out but it looks like you only get 3 uses then you have to buy the app.
 
Captain Crypto

Captain Crypto

Member
Joined
Mar 8, 2011
Messages
254
Reaction score
3
Location
New Jersey
Excellent post. I do this stuff for a living (risk management/security) and I would NEVER recommend the average Joe/Jane install a tool like this without the source code for review. I plan to move over to PE6 tonight, so I'm going to install this on my OG Droid first and see what happens. If it's not kosher, no harm-no foul since I'm blowing everything away anyway (after a full TiBu/nandroid backup first, of course).

alquimista said:
First and foremost, don't be afraid of the big bad wolf. Make sure you always use SSL encrypted connections and you will be totally protected against attacks like this. Check with whatever service you are using and see if there is a HTTPS only option. Or try looking at plug ins like HTTPS Everywhere | Electronic Frontier Foundation from the EFF.

Now on to the app itself:

The app is not like Firesheep. It is not in the same spirit as Firesheep. It is not a means to educate the average Joe. It is not a means to show large social network providers like Facebook that they have glaring security holes. It is not open source.

For the pen testers out there, you know that most reputable POC/educational tools like this come with readily available source code (see: Firesheep or Creepy). If you look on FaceNiff - Facebook (and other services) Session Hijacker for Android you will find no links to code, and no attempt at transparency.

I strongly caution against buying and or installing this apk for two reasons:
1. It is simply not transparent enough to trust.
2. Its not a good way to learn anything.

Like the good man over at Darknet always say " Don`t Learn to HACK - Hack to LEARN."

~ALQI
Click to expand...
 
Royal2000H

Royal2000H

Member
Joined
Nov 13, 2009
Messages
158
Reaction score
0
A tool meant for hacking without ethics...
Oh, not open source?? Requires root?
Sure, let me install that!

A tool that sniffs the network would in fact require root, so that's not bad on it's own. Obviously, the author of this tool doesn't find it bad to sniff out or take people's personal info... still not too bad on it's own. But, it's not open source! Altogether, Bad!

The guy wrote a program that sniffs other people's info and gives it to you. What's stopping him from stealing all your info for himself??
 
A

Abadus

Member
Joined
Apr 2, 2010
Messages
221
Reaction score
2
Royal2000H said:
A tool meant for hacking without ethics...
Oh, not open source?? Requires root?
Sure, let me install that!

A tool that sniffs the network would in fact require root, so that's not bad on it's own. Obviously, the author of this tool doesn't find it bad to sniff out or take people's personal info... still not too bad on it's own. But, it's not open source! Altogether, Bad!

The guy wrote a program that sniffs other people's info and gives it to you. What's stopping him from stealing all your info for himself??
Click to expand...

Me not installing it? :D
 
QiG

QiG

Member
Joined
Nov 11, 2009
Messages
94
Reaction score
1
If it's a suspect piece of software, then I would probably recommend axing this thread so curious members don't download/install it...
 
S

Snow02

Active Member
Joined
Jan 12, 2011
Messages
1,339
Reaction score
9
This actually works very well. I don't condone mucking in other people's accounts, but the sooner amazon, facebook, etc. use https for all traffic the better.
 
You must log in or register to reply here.

Most reactions - Past 7 days

Similar threads

dgstorm
Security Expert & Hacker Demonstrates How to Hijack an Airplane with an Android App
Replies
6
Views
2K
kodiak799
K
dgstorm
Security Hole Allows Screen Lock Bypass On Samsung Galaxy Note 2
Replies
2
Views
4K
Asgard
A
dgstorm
Facebook Home Launch-day Commercial Tickles the Funny Bone
Replies
4
Views
1K
jntdroid
jntdroid
dgstorm
New Zealand/Vodafone Xperia Play Theft Turns Out to Be Marketing Hoax!
Replies
0
Views
1K
dgstorm
dgstorm
dgstorm
IP-Based Card Security Keylocks Cracked by Android App - 'Caribou'
Replies
3
Views
10K
Mopdaddy
Mopdaddy
Top