New Android app allows automated WiFi cookie intercepts

As reported back in April 2009, pen tester Peter Wood, CEO of First Base Technologies, revealed that a structural flaw in the way browsers switch between HTTPS and HTTP data sessions mean that cookie interception is possible across a public WiFi connection.

Many sites, Wood told Infosecurity at the time, do not set the secure text flag on their site's session cookie.

Because HTTP sessions have far less data and IT resource overheads than HTTPS sessions, major sites often only use the latter secure protocol when requiring users to enter personal data such as payment card details on specific pages.

And if the hacker uses the cookie to take over an internet session – on a wireless or cellular connection, or even in an internet cafe – they can then intercept this personal data.

Under certain circumstances, Wood explained, it is even possible for a hacker to seize control of a supposed secure – and authenticated – IP session just as the user has entered their payment card data and other personal information.

And now FaceNiff appears to automate this process although, Infosecurity notes, Android device users will first have to 'root' their smartphones or tablet computers before installing the app.

According to security researcher 'Ms Smith' on NetworkWorld, "like a wicked mobile cousin of Firesheep, FaceNiff could allow even a clueless noob to hack Facebook over WiFi networks."

"FaceNiff allows users to sniff and intercept web sessions for Facebook, Twitter, YouTube, Amazon, and Nasza-Klasa (a Polish site). Unlike Firesheep, the FaceNiff app listens in on wireless networks encrypted with WPA and WPA2 (WEP too) so that with one tap and within seconds, users can hijack the account types supported", she notes.

The good news – if there is such a thing with darkware apps of this type – is that FaceNiff 'only' intercepts three user profiles on given sites.

However, Bartosz Ponurkiewicz, the author of FaceNiff, has reportedly said that he plans to develop a paid-for version of the app that will access more user profiles.

Ms Smith reports that FaceNiff has been confirmed to work on the following rooted devices: HTC Desire CM7, original Droid/Milestone CM7, SE Xperia X10, Samsung Galaxy S, Nexus 1 CM7, HTC HD2, LG Swift 2X, LG Optimus black (original ROM), LG Optimus 3D (original ROM), and Samsung Infuse.

Infosecurity notes that a video of FaceNiff has been posted to YouTube, showing the app operating.

According to Ms Smith, FaceNiff "underscores the importance of using HTTPS. If you have not done so, you can tweak your Facebook and Twitter settings to always enable HTTPS."

Or, she adds, you can use the Electronic Frontier Foundation's 'HTTPS Everywhere' add-on for Firefox to force using SSL at all times, wherever it is possible.

What’s hot on Infosecurity Magazine?