Protect Against Session Hijack & Android FaceNiff Hackers

Posted in Android , Misc. on 22 June 2011 0 comment

Nowadays a person does not need to be a security expert to hack into your devices or hijack your session, because there are such programs made available for those “hackers”. For example, few months ago there was one popular tool called FireSheep that runs in Mozilla Firefox as a plug-in, it can automate session hijacking attacks over unsecured Wi-Fi networks, allowing anyone to hijack other users in a public network. Although Facebook and Twitter have already patched the vulnerability, the tool still can be used in other websites.

What is hijacking and how do session hijack works?

Session hijacker tool is actually a packet sniffer that monitors traffic between a Wi-Fi router and users connecting to the network. It can then do their dirty work based on the collected packets. Session hijacking is a method of taking over a web user session by obtaining the session ID and then disguising as the authorized user. It means that you wouldn’t even know when they hijacked your session, surfing the websites and doing stuff using your account.

FaceNiff – Session Hijacking using mobile phone

Similar to FireSheep, there is another tool now specially made for mobile phones! FaceNiff is an Android application that allows you to sniff and intercept web session over public WiFi. It requires a rooted android phone (similar to iphone’s jailbreak). Below shows how easy it was to hijack a Facebook session:

Protection = Encryption

Imagine you are in a big public WiFi network like university campus accessing sensitive data, your account and data is not safe. Therefore to protect against these hijack attacks, the first and more important step is to use HTTPS to surf the web whenever possible. Although HTTPS still does not promises 100% protection because you are still using public network, but it does provide extra protection for free, so why not? Twitter and Facebook have HTTPS enabled, maybe not by default, but they can be easily enforced. Here’s how:

To enable HTTPS in Twitter, go to Settings > Account tab > Tick “Always use HTTPS” checkbox

To enable HTTPS in Facebook, go to Account Settings > Settings tab > under “Account Security” > Tick “Secure Browsing (https)” checkbox

However in Facebook, not every apps or games has HTTPS so when you load a game, Facebook might temporarily disable HTTPS.


The main idea of HTTPS is to create a secure channel over an insecure network. This ensures reasonable protection from eavesdroppers and man-in-the-middle attacks, provided that adequate cipher suites are used and that the server certificate is verified and trusted.

More info about HTTPS


Posted by Zen on 22 June 2011 • 33,489 visits 0 comment
Tags : ,

or Subscribe to specific category only :


No comment yet. Be the first to leave a comment!

Leave a Reply

You must be logged in to post a comment.

Previous Post
Next Post