By Not that we condone this sort of stuff or anything, but since it already seems to be taking the blogosphere by storm we might as well report it. A developer created Faceniff, an Android application that’ll allow you to login to someone’s Twitter, Facebook and YouTube accounts if they login on shared WiFi networks without SSL encryption. The video above demonstrates the disturbing functionality.
We don’t even want to dig deep into how it works, and we’re feeling a little guilty putting a spotlight on this app, but perhaps this’ll encourage folks to use HTTPS from now on. You’ll need to be rooted and you can’t find it in the Android market. In fact, I think I’ll just leave anyone interested to find it for themselves. [via Mashable]
isn’t the vulnerability supposed to be eliminated in 2.3+ devices?
This isn’t an Android vulnerability – it is the default setting on those services to NOT use SSL encryption. If you log into the main web site of Facebook and Twitter both have a preference/option to enable and require SSL.
That doesn’t stop people stealing the auth token from the Facebook and Twitter apps which is sent unencrypted and there’s no way to change this.
It’s not a vulnerability in Android. Google just changed Contacts and Calendar to send their auth tokens with SSL encryption.
If you are shouting out your login credentials, unencrypted, over a WiFi network you know nothing about, that is not your device’s fault. It is the fault of the service (eg, Facebook, YouTube, etc) that you are logging into.
Notice I said “device’. This applies to anything. Either a Sammy Cappy or an iPhony.
They don’t have to go far to find it, it’s in your source link, heh.
I know. I just didn’t want to link it here, heh.
So, this is basically like an Android app version of the Firesheep extension? Ugh.
Does YouTube have a SSL login preference now? I never noticed a checkbox for that.
Jesus. Thank god I use Facebook in HTTPs and have my home network on password protected. Hopefully Google will remove this, but I dobut it since they are all on top of being “open” and shit.
Again, this isn’t an issue with Google. The app to do this requires root and can’t be found on the market, so there probably isn’t much Google can do about it short of completely changing their stance on Android.
Just checked facebook, they have a setting to require you to enter a code sent to your phone when a new computer accesses your account, maybe that could help.
So no one else misunderstands, the “baddie”is the one using Android, the target is anyone on a wi-fi who’s not using encryption(mac,android,pc,w/e). The same thing happend to fx with the firesheep add-on.
Fakebook is a waste of time anyway imo. (lets see how many friends I can accumulate, when in all reality most people only have a handful of “true” friends) Pathetic.
i think your talking about myspace xD
It’s like my old pappy used to always say “Locks on the doors only keep the honest people out”.
It works great! :D