In-depth look on FaceNiff and Session Hijack

Now days , even a  “uncle/auntie” (its a term used in Malaysia to describe someone who is older , its just like how you would address your neighbour , Smith as Mrs Smith who is 50 years old. Here in Malaysia , we would call her “auntie”)  with a smartphone is able to hack other person’s Facebook/Twitter and easily do anything with it. That’s right , folks the 2nd generation of FireSheep is born and this time its for Android. In this article , I’ll be explaining to you the basics of this and how you can protect yourself !

FaceNiff for Android (Source : Malaysian Wireless)

more after the jump….

I am quite sure that number of you have already heard about FireSheep. Basically FireSheep is an add-on for Firefox which does HTTP Session Hijacking . In other words easy Facebook/Twitter hacking. Thankfully Facebook/Twitter have patched this up and now its no longer possible to use FireSheep to hack those stuff. However it still works with a lot of different sites.
Now extending to this idea , FaceNiff (yes thats what its call) does that exactly , – except its from your Android phone. All you have to do is root your phone (if you have not) and install this application and spend an hour at Starbucks – voila you are able to get that pretty lady’s name that you are eyeing for the past year. Its creepy and imagine stalkers stalking you. I am not going to bore you with how its going to work and how you can hack your Facebook password and stuff. For details just check out the site and bear in mind you’ll have to pay for the application if you want to unlock the entire thing , otherwise you are only limited to Facebook and only with the first 3 session that it captures. The software costs $5 USD (thats around ~RM 15)
How does it work ?
Just think of as how eavesdropping works ? Have you eavesdropped before ? The concept of this application works in the same way as how you’ve eavesdropped someone’s conversation.This is provided that you are within the hearing range and if you are able to comprehend what the other person is saying. Again , the same concept applies here as well.
This application simply works by “eavesdropping” your connection. As you know that Public WiFi is not secure , as anyone can able to eavesdrop on what you are doing. This tool just makes it easier. All a person now has to do is run this and he is able to capture your Facebook session , which means that he is able to login as you and do some nasty things. However  bear in mind that he is not able to capture your Facebook password , just your “login thingy” (or session).
Session works this way , it basically stores who you are . So facebook knows that oh its you and I shall display your wall instead of X’s wall. Its just to identify. This application works by hijacking HTTP Session , again think of it as an established connection between you and the server. I wouldn’t really go into details on how Session works. A simpler example would be your online banking service , remember how if you have left your PC unattended for 1minute , the system would automatically log you off  ? Its the same thing . The only different is your bank uses a secure session while facebook does not (by default)
How do I secure it ?
Simply enable HTTPS in your Facebook and in your Twitter by reading here (Facebook)  or here (for Twitter) . Alternatively you may want to get HTTPS Everywhere , its a beautiful add-on for Firefox , which forces HTTPS for Facebook , Twitter and a lot of other sites by default. This way it would prevent people who are using FaceNiff to get your information soo easily , but it would still not stop hackers from hacking into your PC , especially if you are using a Public WiFi such at a cafe or at airport
So how do I fully secure it ?
By using VPN of course. This is how big corporations do it for their staffs who work from their home. A secure connection is established between the client and the server , and all information will be routed securely to the server. A good example would be to use Hotspot Shield whenever you are on Public WiFi , as this would prevent hacker from even sniffing what are you doing , as the connection would be routed securely to Hotspot Shield’s server. If you do not trust Hotspot Shield , you may use any other paid VPN providers out there.
To be on the safer side , never ever use Public WiFi to check your personal things such as bank account balance. If you must , use a VPN otherwise use your home/trusted connection.
One more thing , be sure to different passwords for each of your services
The Internet is not a safe place,  the moment you are connected to the Internet – there is a risk of you getting hacked in one way or another. You may start practice safe browsing habits when you are using Public WiFi. I strongly urge you to spread this message to your friends especially those who like to spend long hours in Starbucks for the Free WiFi !

4 thoughts to “In-depth look on FaceNiff and Session Hijack”

  1. Might as well add that FaceNiff works even on WPA encrypted wireless network…afaik firesheep only works in unsecured network
    I”m coming out with my own tips later…do read ya

  2. They are an easy way to correct crooked or undersized teeth.
    But if you’re eager to find out if you’re keeping in step with women’s shoe
    trends, try to see if you have over-the-knee boots or strappy
    ankle boots in your shoe closet. If the individual lives in the
    same town as you, then you do not even have to arrange for delivery.
    To their surprise, there are absolutely no numbers in the language of Piraha tribes.

Leave a Reply

Your email address will not be published. Required fields are marked *