Firesheep caused quite a stir when it was released last October, giving both hackers and non-hackers instant access to people's account information when on a public Wi-Fi connection. When logged into an insecure website on the same network as someone with Firesheep, you're giving them access to the cookies that keep you logged in. This is called session hijacking, and grants them easy access to your accounts, like Facebook, Flickr and Twitter. Now, there's an even easier way to do this—a mobile way.
A recent Android application called FaceNiff can hijack unencrypted login credentials from users on the same Wi-Fi network. But here's the kicker: It also works on networks encrypted with WEP, WPA or WPA2 protection. In order to use FaceNiff, your Android smartphone must first be rooted (here's a list of devices confirmed to work). Right now, FaceNiff works with Amazon, Facebook, Twitter, YouTube and Nasza-Klasa, but more are sure to follow. Here's a video showing it in action:
And now check out the video below for instructions on installing the FaceNiff application on your rooted Android device, then using it to hijack Facebook accounts. Apparently, the APK only works on three accounts at a time. For unlimited access, you have to buy the application via PayPal.
The FaceNiff website does state this app as being "for educational purposes only," but it's highly doubtful that was the intention. To learn how to thwart FaceNiff's actions, make sure you're in secure browsing mode. See how to change your profile to https encryption.