In October 2010, a small application called Firesheep had Internet users quivering in fear that their social accounts could be hacked instantly, with a small Firefox extension able to hijack Facebook, Twitter, and Flickr and Amazon.com sessions whist they were connected to unsecured wifi.
With Firesheep requiring a desktop computer to steal a users cookies and authenticate them as any user browsing on the same wireless network, the potential for attacks was rather limited. However, an enterprising developer has taken the same concept and shoehorned the technology into an Android application called FaceNiff, providing a user with the ability to take over Facebook, Twitter and YouTube accounts simply by joining a network and running the app.
FaceNiff requires a rooted Android handset, a barrier for a few but with a wealth of information on the Internet, easily achieved by many. Securing a network doesn’t seem to help either, as the application can snoop information on WEP, WPA and WPA2 WiFi networks.
The application reinforces the need for all social networks to employ SSL encryption on their services, stopping tools like FaceNiff from working in seconds. Both Facebook and Twitter have such an option embedded within the settings but many users are unaware of the option.
The app is meant to be a proof of concept and only used for educational purposes but has been confirmed to work on HTC Desire CM7, Original Droid/Milestone CM7, Sony Ericsson Xperia X10, Samsung Galaxy S, Nexus 1 CM7, HTC HD2, LG Swift 2X, LG Optimus Black and LG Optimus 3D.
The APK file is limited so it can only be used to hijack 3 social profiles. Despite this, developer Bartosz Ponurkiewicz says that users can donate via PayPal for an unlocked version of the application.
To help protect your social networking profiles and assist you in securing your accounts, you can click here for information on how to encrypt your Facebook traffic and here for information on how to secure your Twitter account.