Hackers have developed a scary new piece of software that allows anyone to steal unsecure social network accounts (such as Facebook and Twitter) using a rooted Android phone. A rooted phone basically means a person has administrative access to their phone, which is not standard.
This software is called FaceNiff, and all a hacker has to do is download it onto their Android phone and activate it. After connecting to any nearby wifi network, they can steal any unsecure Facebook or Twitter accounts that are using the same network.
Session Hijacking and Session ID Cookies
Any hacker with the proper tools can intercept unencrypted session ID cookies from websites like Facebook as the cookies are transmitted over wifi networks. These cookies contain account login information. This is known as session hijacking. Here’s how it works: When you login to Facebook (or any other website in which you have a user account), the site assigns you a session ID. This session ID allows Facebook to remember who you are during all of your actions during that session (such as posting to a wall, making a status update, sending a message, etc.).
All FaceNiff has to do is to pick this session ID cookie out of the air, and then send back an action to Facebook (such as making a status update) with the same session ID.
Facebook has no way of knowing that this is not you, since the session ID cookies are identical.
How FaceNiff Works
FaceNiff displays the discovered identities on a sidebar and allows the hacker to instantly take on the login credentials of a user by simply double-clicking on the victim’s name.
Think of FaceNiff as Firesheep gone mobile — you may recall that Firesheep was released last year by a white hat hacker (meaning someone looking to exploit online vulnerabilities in order to get them fixed) to bring attention to this problem.
The main difference between Firesheep and FaceNiff is that Firesheep requires a computer. With FaceNiff, all you need is your phone, so it’s much more mobile.
In other words, hackers no longer have really know anything to steal your identity. They simply need to know how to download software to their phone and turn it on.
FaceNiff’s Achilles Heel: Virtual Private Networks
Luckily, there is something you can do to keep yourself safe from FaceNiff (and Firesheep, for that matter): use a virtual private network (VPN). While you can turn on secure browsing (or HTTPS) in Facebook and Twitter, this still leaves you exposed to other kinds of hacking attempts.
There are many other ways in which your private information can be compromised. The best way to protect your sensitive information is to use a VPN, like PRIVATE WiFi, which encrypts the data moving to and from your laptop. The encryption protects all your Internet communication from being intercepted by others in wifi hotspots.
By using a VPN, you can stop hacking software like FaceNiff dead in its tracks.