Android app offers Wi-Fi hacking of Facebook accounts

Video demo shows how easy it is to use a new Android app to hijack Facebook accounts on Wi-Fi networks.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

Sometimes seeing is believing. The FaceNiff Android app, released earlier this month, allows anyone to snoop on traffic on Wi-Fi networks and even hijack Facebook accounts. Sounds bad, but this video demo drives the message home by showing just how easy it is to do:

The app, which works on Android phones that have been rooted, offers "one-touch hacking," says Kevin Mahaffey, founder and chief technology officer at mobile security firm Lookout. The technique isn't new--it's akin to a mobile version of the Firesheep Firefox extension released last year--but it makes it super easy and mobile.

"Even on encrypted Wi-Fi networks the app can do ARP (address resolution protocol) spoofing where it advertises itself as the MAC address of the router to try to get the computers on the network to send traffic through the device," Mahaffey says.

And it's not just for Facebook account hijacking. The developer is broadening the app so it can be used to target accounts on Twitter, YouTube, Amazon, and Polish social-networking site Nasza-Klasa.

To protect against this type of attack you should use SSL (Secure Sockets Layer) encrypted communications by either typing in "https://" before the Web address or setting SSL as a default on the Web sites you visit often. For instance, in Facebook you do this by clicking "Account Settings" under "Account" drop-down menu in the upper right corner, then clicking "Account Security" and checking the "Secure Browsing (https)" box. And if the site doesn't support "https" use a Virtual Private Network if you can.

Even though tools like this can be harmful in the wrong hands, researchers typically release programs that exploit security weaknesses to alert Web surfers to the problem so they can protect themselves and to prompt Web sites to offer SSL support.