Hijack any Facebook account with Faceniff – Firesheep for Android

A hacker called Bartosz Ponurkiewicz has released a simple Android app called Faceniff (Facebook + Sniff), which allows you to hijack the Facebook profile of anyone on same wireless network as you. Think Firesheep, but running on something you can slip in your pocket and carry anywhere. Oh, and it’s “for educational use only”  😉 Understand?

The interesting thing about Faceniff is that it works with WPA2-PSK encrypted networks (as well as the lower grade WAP protocol). So it doesn’t matter how strong your wireless encryption is, it’s still susceptible to inside attacks. All you need is a rooted Android phone with Faceniff installed.

Faceniff Screenshot - Inactive
Faceniff startup screen

I tried out Faceniff with my own account last night. It worked perfectly. To prepare, I logged out of Facebook on my phone, and connected my laptop and phone to the same network (with WPA2-PSK encryption). After launching Faceniff, the app asked for Superuser permissions. Then it was just one click, and it started scanning the network.

Android Superuser Screenshot - Faceniff
Faceniff requires root (superuser) permissions

As soon as I loaded Facebook on my laptop computer, my user ID appeared on the phone. With one tap I was able to login and post a status update from my phone. Pretty easy, right? That’s the revolutionary thing about Faceniff. While this kind of hijacking technology is nothing new, it’s never been packaged into an easy, foolproof bundle like this. Even with Firesheep you needed a laptop, and it had trouble handling WPA2. Faceniff however has none of these limitations – and a phone can easily be concealed if somebody gets suspicious.

Faceniff Screenshot - Profile Found
Faceniff found my profile in seconds

This is just another reason why you should enable HTTPS for your Facebook account. While HTTPS connections can also be hijacked, it takes a lot more time and effort than standard HTTP attacks. Also, there aren’t many automated tools available for HTTPS hijacking (yet!) so you’re less likely to be molested by script kiddies.

If you want to try Faceniff yourself (remember, educational use only – nothing illegal of course!) you can download the APK here. I also recommend the video demonstration of Faceniff embedded below. It’s a very interesting app, and something I expect to see more of as security professionals start experimenting with Android’s capabilities.