FaceNiff is an Android app that allows you to sniff and intercept web session profiles over the Wi-Fi that your mobile is connected to. It is possible to hijack sessions only when Wi-Fi is not using EAP, but it should work over any private networks (Open/WEP/WPA-PSK/WPA2-PSK). It’s kind of like Firesheep for Android and it works on WPA2.
So this is like tcpdump or Wireshark for Android? Neat.
I’ll take this opportunity to remind everyone to use encryption whenever possible, and if you’re really paranoid, use a VPN when using someone else’s network.
I hijacked my brother’s Facebook session and posted something on his wall.
The sad thing is that if Facebook used SSL this wouldn’t be possible. How much more computing power would Facebook need to enable SSL Facebooking?
SSL is still prone to man in the middle attacks. And you can steal cookies if you want to get access to a facebook account.
No it isn’t. You need to convince a CA to make you a certificate for facebook.com, which has happened on occasion, but isn’t exactly easy.
And you can’t steal cookies from SSL connections. That’s just stupid.
Facebook does nowadays support SSL, you just have to enable it in your settings. And yes, I agree; it should be enabled by default. But nevertheless, the support is already there.
https://www.facebook.com works just fine for me. Don’t blame facebook for your brothers mistake.
Problem is that HTTPS doesn’t work with Facebook apps, so it’s turned off by default.
I did that too…. but then clicking around you eventually end up with http.