Wireless Blog

How often do you check your Facebook, Twitter, and other social networks? Daily? Hourly? Most of remain logged in almost all the time. A new threat came to light this week that should make you think twice about your privacy. FaceNiff is an Android app that allows the user to obtain your social network login info and essentially hijack your account. Once your account has been compromised, the attacker can access all of your information as if they were logged in as you. Post updates, read private messages, and literally have full control of your account. Here's a video demoing just how easy it is:

Here's a few things you should know:

You have to be connected to the same wireless network as the attacker
- If you are on a secure wireless network (password protected) the attacker would have to be on that network as well
You have to access Facebook through a browser - on the computer or mobile
- Internet Explorer, Safari, Firefox, Chrome, Android Browser, and others you can think of.
- Using the Facebook App for Android is not affected by this.
If you connect to Facebook using a secure login this app can't work.
- This attack can't work if you log in using SSL (more on this in a minute).
Wired or wireless - doesn't matter.

We did a few experiments with FaceNiff in our "lab" and found that this app really does work as well as the demonstration leads you to believe. One of our staff was able to break into 2 Facebook accounts in under a minute. This attack works because the traffic between your computer and the your internet router is unencrypted and can be "sniffed" out of the air. Think of using a baby monitor to listen to your neighbor's phone calls. Newer digital phones encrypt the signal to keep your nosy neighbors (and their babies) from listening in. The solution to this is to make sure you're using an encrypted connection to do your social networking. It's easier than it sounds. Here's what you do:

Go to your account settings in Facebook and choose "Account security" and check the box to use a secure connection "https" whenever possible. Click save and you will then be immune to this attack. - That's it!

The other good way to protect yourself is by using a dedicated internet connection such as a mobile broadband device, or using a secure app like Facebook for Android.

Defending Against a New Facebook Threat