Stealing cookies to potentially steal users' credentials just got so easy and portable that loony stalkers are probably jumping for joy. Picture this mobile-type scenario, as a person with a rooted Android smartphone casually strolls by a Starbucks, he or she taps once on a new app, and whammo, hops on and takes over Facebook profiles.
Like a wicked mobile cousin of Firesheep, FaceNiff could allow even a clueless noob to hack Facebook over Wi-FI networks. The hacking app requires root access on Android phones. FaceNiff allows users to sniff and intercept web sessions for Facebook, Twitter, YouTube, Amazon, and Nasza-Klasa (a Polish site). Unlike Firesheep, the FaceNiff app listens in on wireless networks encrypted with WPA and WPA2 (WEP too) so that with one tap and within seconds, users can hijack the account types supported.
Not that you intend to try out FaceNiff, but you can't hijack more than three profiles. However, FaceNiff app developer Bartosz Ponurkiewicz says more sites for hopping onto user accounts will soon be supported. He noted if you want to hijack more than three profiles with FaceNiff, there will be an option to pay and unlock the code.
FaceNiff has been confirmed to work on rooted mobile phones: HTC Desire CM7, original Droid/Milestone CM7, SE Xperia X10, Samsung Galaxy S, Nexus 1 CM7, HTC HD2, LG Swift 2X, LG Optimus black (original ROM), LG Optimus 3D (original ROM), and Samsung Infuse.
Here's a video of FaceNiff in action:
As a portable sniff and snoop, FaceNiff presents yet another possible assault on privacy and security. Imagine how happy this might make off-their-rocker-stalkers, cause it's not just for public wireless networks. Depending how you manage your wireless network at home, someone could park outside or walk by your house and FaceNiff you.
This one-tap-wonder app again underscores the importance of using HTTPS. If you have not done so, you can tweak your Facebook and Twitter settings to always enable HTTPS. Or use the EFF's Firefox add-on HTTPS Everywhere or another addon of your choosing to force SSL. HTTPS is your friend. It is way past time to start applying major public pressure in order to force sites to use HTTPS. Or perhaps time to get serious about security and use a VPN; stay under 100MB and this one is free, or you might want to search for other free VPN services to protect your privacy.
While we are on the subject of Androids and apps, Lookout Mobile Security reported finding 26 malware-laced applications in the official Android Market. The smartphone security firm said the infected apps are a "stripped down version of DroidDream" and were probably maliciously crafted by the same developers. The new malware is being called “Droid Dream Light” (DDLight). Malware in the tainted apps can be activated by an incoming call, meaning users do not actually have to launch the app to trigger it.
Anyone who downloaded an app on Lookout's list could have their personal information compromised. It is suspected that between 30,000 and 120,000 users were affected by DroidDreamLight.
Like this? Here's more posts:
- PBS hacked by LulzSec: Lulz Boat Sailed, PBS Failed
- IE Flaw Could Allow Hackers Access to your Facebook, Gmail, Twitter Accounts
- 'Secret Law' of Patriot Act: Geolocation Tracking & Domestic Spying on Steroids?
- Thanks to ID thieves, your child may have more debt than you
- Having private parts is not probable cause for TSA to grope or body scan you
- FBI: Surveillance "going dark" or obsessed with porn and doing a poor job?
- Ridiculous DHS list: You might be a domestic terrorist if...
- Former FBI Agent Turned ACLU Attorney: Feds Routinely Spy on Citizens
- Patching Windows is a major time sink for IT departments
Follow me on Twitter @PrivacyFanatic
Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. Smith has a diverse background in information technology, programming, web development, IT consulting, and information security. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.
Smith is an independent contractor and is not affiliated with any vendor that makes or sells information technology.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited