FaceNiff: Android tool hack Facebook, Twitter, Amazon accounts in seconds

With an Android tool hacking Facebook, Twitter and other accounts, even for laymen is a breeze. The only condition: The Android phone must be logged onto the same wireless network as the victim. The Firesheep principle is extended again with FaceNiff and represents a huge threat to the personal data of millions of Facebook users We take the tool under the microscope.

FaceNiff: Android tool hack Facebook, Twitter, Amazon accounts in seconds

When the Firefox extension Firesheep made the rounds last summer, the astonishment was great: So you had to sit in an open Wi-Fi only with a laptop and could easily see the social network accounts of bystanders, log in there and mischief.

faceniff sniffing

A new tool for sniffing gerootetet Android phones called FaceNiff sets the hurdles now even lower. Once started, it lists in no time Facebook, Twitter, and YouTube Amazon- accounts of many users that are logged into the same Wi-Fi, along with their names. This works even if the network is secured with strong WPA2 encryption.

We made it to the test, code tested us FaceNiff including Unlock worried and in our corporate WLAN. the tool you start by optionally the &Passive; # 8220&# 8221; and the &# 8220; Stealth Mode&# 8221; and adjusting to the large &Power; # 8220&# 8221; button presses. That's it. After only a few seconds numerous hackbare accounts are listed.

Professionally and personally is surfed on our company Floor much on Facebook. Therefore be notified to us immediately after the start of the account Search FaceNiff especially Facebook accounts, but also a few Twitter and Amazon accounts. Overall, about two dozen accounts.

A tap on an account and you are logged into the web interface in the mobile browser in the corresponding account. In this example, I booked myself a trial basis at Daniel (with permission).


In another test, we managed easily, einzubuchen us without entering a password in the androidnews.de YouTube account:


Well, it's that simple. Start app, login and &# 8212; if you have no scruples &# 8212; organize nonsense. Frightening scenarios are possible: &Honeypots; # 8220&# 8221; in the pedestrian area, mitgesniffte account information on conferences, hijacked user accounts by politicians and celebrities, and so on&# 8230; Technically, no password is stolen here, after all, but only a session cookie adopted with which a user can identify a limited time over the Web. Only enough information can be collected already so to compromise a user, but also the contacts, for example via Twitter DMs or Facebook messages.

The process is closely related to the recently discovered vulnerability in various Google Apps. We already pointed out that the problem of unencrypted authentication setting is not limited by far on Google and Android, which is shown here impressively. But what can you do about it?

Start Photogallery(21 images)The best lines from childhood on Facebook, WhatsApp, Twitter and Co.

FaceNiff &# 8211; 5 ways to counter the Android sniffer

  • As a user, you should choose the best possible level of security while surfing forever. Ie: // surf to: Twitter, Facebook and always preceded by https.
  • always log out after use of online services.
  • On Facebook in the account settings under &Account security; # 8220&# 8221; the batty translated Option &# 8220; Secure Browsing (https)&# 8221; as &# 8220; confirmation&# 8221; activate.
  • The Firefox extension HTTPS Everywhere to use that upgrades for supported sides of self-SSL connection.
  • Wireless operators to inspire necessarily their (s) Setting router so that they only use the encryption method WPA2 with EAP, NOT WPA-PSK or WPA2-PSK, WEP anyway.

Note to this item: We have long wondered whether we should publish this article because with FaceNiff even laymen can do great damage. However, we have decided to publish because we believe that it is important that this information is public. Without this product there FaceNiff and similar tools anyway (as well as reporting it), but fewer users, the fact would be aware. Companies such as Facebook and Twitter have finally making SSL connections are mandatory, otherwise user accounts remain even be hacked for third graders.


Posted In: Android