A new Android app makes hijacking other people's Facebook, Twitter, YouTube and Amazon sessions a breeze over private or open wireless networks.Called FaceNiff, the app is the work of a Polish programmer named Bartosz Ponurkiewicz and was apparently released on his website in mid-May.
"It is possible to hijack sessions only when WiFi is not using EAP, but it should work over any private networks (Open/WEP/WPA-PSK/WPA2-PSK)," the developer writes.
FaceNiff requires root access on the phone in order to work properly. Root (admin) access is not enabled by default on most devices, but there are many tutorials and tools available to obtain it.
So far, the app can hijack sessions for FaceBook, Twitter, Youtube, Amazon and Nasza-Klasa, a Polish social networking service. It has been confirmed to work on HTC Desire CM7 (CyanogenMod 7), Original Droid/Milestone CM7, SE Xperia X10, Samsung Galaxy S, Nexus 1 CM7, HTC HD2, LG Swift 2X, LG Optimus Black - original rom, LG Optimus 3D - original rom, Samsung Infuse.
Session hijacking, also known as side-jacking, involves attackers positioning themselves between users and websites in order to steal session cookies, the small text files stored in browsers so that services can remember authenticated users.
Session cookies can be placed into any browser to take control over the sessions they correspond to. This type of attack does not expose passwords, but does give attackers access to the victims' accounts.
Firesheep, an extension for Firefox released last year is based on a similar concept and its availability led to major websites like Google, Facebook, Twitter and others to speed-up their SSL deployment plans.
At the moment, the only method to protect the transmission of session cookies over wireless networks is to encrypt them and this can only be done on websites that support HTTPS, a combination of HTTP and SSL/TLS.
Users are strongly advised to only log into websites that support HTTPS when connected over wireless networks. The HTTPS-Everywhere extension developed by the EFF can force HTTPS automatically on major websites.