Facebook Logo

Hacking Facebook Sessions from Android with Faceniff

Faceniff is a navite app for the Android platform that requires root access to perform a Man in the Middle attack against a network in order to hijack HTTP sessions. You can find more information on the app as well as the download link here:


Proof of Concept:

The Attack:

Step 1) Arp poison the router. This leverages the root capabilities of a rooted android operating system to perform a Man in the Middle attack against all the hosts on the network. Because it attacks the arp cache of the router, you will be able to MITM both wired and wireless hosts on the same network from a single wireless connection. This also requires that you have already obtained an IP Address from the victim network which means Wireless Encryption will not prevent this attack if the attacker already knows the encryption key.

Step 2) Wait for a cookie to pass through. Because this attack only works against HTTP protocol, all the cookies will fly by unencrypted allowing an attacker to copy any cookie that passes through the router.

Step 3) Copy the cookie to a local browser. This step essentially tricks Facebook or any other service into thinking that your browser has already successfully authenticated to the service allowing the attacker to assume the identity of the victim.

Preventing this Attack:

SSL encrypted sessions will not stop the attacker from ARP poisoning the router and performing the MITM attack. It will successfuly prevent Step 2 of this attack by encrypting the cookie every time it is transmitted. Proof of Concept attacks against SSL exist in the wild, and a full set of tools exists to implement the attacks. At this time, those attacks have not been integrated into Faceniff, although the SSL Strip button has been added to the interface.

Any time you connect to a service, make sure it is SSL encrypted. This will completely prevent this attack until SSL Strip is implemented into Faceniff.

If SSL Sniff is integrated into Faceniff, even trusted networks will become fair game for attackers. The problem isn’t that this type of attack isn’t possible, it’s that this type of attack is difficult to execute and requires atleast some low level knowledge of the toolsets and protocols involved. To automate an attack like this in a simple packaged application that can be distributed to the masses and used at will results in anyone with an Android platform being able to hijack HTTPS sessions with the press of a single button, without any knowledge of what is happening or how it works.

Further information on Session Hijacking can be found at the Wikipedia page here.