Daily cyber threats and internet security news: network security, online safety and latest security alerts
June 3rd, 2011

Web Sessions Over Protected Wireless Networks Can Be Hijacked With An Android App

A new Android app makes hijacking other people’s Facebook, Twitter, YouTube and Amazon sessions a breeze over private or open wireless networks. Called FaceNiff, the app is the work of a Polish programmer named Bartosz Ponurkiewicz and was apparently released on his website in mid-May.

“It is possible to hijack sessions only when WiFi is not using EAP, but it should work over any private networks (Open/WEP/WPA-PSK/WPA2-PSK),” the developer writes. FaceNiff requires root access on the phone in order to work properly. Root (admin) access is not enabled by default on most devices, but there are many tutorials and tools available to obtain it.

So far, the app can hijack sessions for FaceBook, Twitter, Youtube, Amazon and Nasza-Klasa, a Polish social networking service. It has been confirmed to work on HTC Desire CM7 (CyanogenMod 7), Original Droid/Milestone CM7, SE Xperia X10, Samsung Galaxy S (Galaxy S T-Mobile), Nexus 1 CM7, HTC HD2, LG Swift 2X, LG Optimus Black – original rom, LG Optimus 3D – original rom, Samsung Infuse.

Session hijacking, also known as side-jacking, involves attackers positioning themselves between users and websites in order to steal session cookies, the small text files stored in browsers so that services can remember authenticated users.

Session cookies can be placed into any browser to take control over the sessions they correspond to. This type of attack does not expose passwords, but does give attackers access to the victims’ accounts.

Firesheep, an extension for Firefox released last year is based on a similar concept and its availability led to major websites like Google, Facebook, Twitter and others to speed-up their SSL deployment plans.

At the moment, the only method to protect the transmission of session cookies over wireless networks is to encrypt them and this can only be done on websites that support HTTPS, a combination of HTTP and SSL/TLS.

Users are strongly advised to only log into websites that support HTTPS when connected over wireless networks. The HTTPS-Everywhere extension developed by the EFF can force HTTPS automatically on major websites.

FaceNiff app homepage:

Credit: News

Share this item with others:

More on CyberInsecure:
  • Rogue Phishing App Spread Through Android Marketplace
  • Service Cracks Wireless Passwords From The Cloud
  • Android Market Security Update Released By Google Contained Mobile Trojan
  • Patch For Android Security Flaw Released By Google And T-Mobile
  • Hackers Jailbreak T-Mobile’s And Google’s Android Phone

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Web Sessions Over Protected Wireless Networks Can Be Hijacked With An Android App

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.