

Faceniff: Cookie snatching for Facebook on Android - patrickod
http://www.engadget.com/2011/06/02/faceniff-makes-facebook-hacking-a-portable-one-tap-affair-vide/

======
adn37
I was curious about the technique used under the hood, so I decided to have a
closer look.

\-- What it does to intercept network trafic:

1/ The app spawns an android (java) service that, that performs the following
as root when it starts:

# echo 1 > /proc/sys/net/ipv4/ip_forward

# iptables -t nat -I POSTROUTING -s 0/0 -j MASQUERADE

# iptables -t nat -I OUTPUT -j DNAT -p tcp --dport 1337 --to 127.0.0.1

# iptables -t nat -I PREROUTING -j DNAT -p tcp --dport 1337 --to
xxxunclearherexxx

My understanding is that it redirects outgoing packets (targetted at port
1337) to loopback, where the native daemon listens (2/)

This is not visible in the video, but when the user clicks to use a caught
Facebook profile, it seems to trigger an android Intent to actually go to
Facebook on port 1337 instead of 80, so it gets caught by the iptables hook.

2/ It then execs the faceniff binary to go native (unpacked from resources)
with some params (stealth/passive mode, license check), and polls its status
every 1s.

\-- Native part: I believe it handles most of the logic. Looking at the
strings contained, it seems to deal with libpcap to intercept and forge
headers on the fly.

Some interesting strings: libpcap version 0.9.8

new user found but the app is locked!

Unable to find ssid in cookies [%s]

HTTP/1.1 200 OK Content-Type: text/html Connection: close

Set-Cookie: %s=%s; expires=Fri, 14-Jul-2017 04:40:00 GMT; path=/; domain=.%s

<meta http-equiv='refresh' content='0;[http://%s/>](http://%s/>);

HTTP/1.1 200 OK Content-Type: text/html Connection: close

Date: Wed, 02 Feb 2011 01:51:18 GMT

<li><a href='[http://%s:1337/%s>%s</a></li>](http://%s:1337/%s>%s</a></li>);

client asking for: [%s]

Technically speaking, this is interesting. Please feel free to add info if you
are familiar with the technique.

------
aw3c2
Looks like closed-source with a paid version for more sniffing ("more than 3
profiles"). There is no way I am going to install this.

~~~
nl
I risked it an installed it. It didn't seem to work (Galaxy S), and then my
phone started running very, very slowly even after I closed it.

I uninstalled. I wouldn't recommend this app at all, and I'm pretty suspicion
about what it was doing.

~~~
zbanks
I had the same experience (Droid 2), except it crashed before I could even
accept the Root Permissions dialog, so I doubt I suffered any major damage.
(The default permissions are more innocuous)

------
SeoxyS
Hopefully this'll prompt these sites to switch to SSL by default...

~~~
patrickod
Funnily enough I had switched my Facebook account to SSL automatically a while
and completely forgot about it. I ran the app on my phone and was surprised it
worked.

It seems that some "application" that I had used on Facebook required SSL to
be temporarily disabled. I don't remember an application saying that SSL had
to be disabled, and I'd be the sort of person to read these things. I'd worry
that this would be a problem for less techy users.

SSL should be an opt-out feature for anything that harbors personal
information. I can only assume that this isn't the case due to the extra
server overhead that FB would have to deal with ?

~~~
CWIZO
Whenever I go to a FB page that displays some content that is not served over
https, FB gives me a warning saying that the secure connection will be
temporarily disabled, but will be restored when I log back in the next time.
And you have to agree to that.

~~~
dspillett
I'm told that there were bugs in that process discovered shortly after its
introduction that could mean the switch back to HTTP happened without the user
being told so explicitly. These have been fixed, but the poster you replied to
may have been unlucky enough to have used such an app during a window when
such a problem was still present.

Another source of confusion is that nether the iPhone or Android native
facebook applications respect the HTTPS setting, so to use HTTPS for facebook
access on a phone make sure you use it via the web browser not the native app.
IIRC this was one of the bugs: accessing facebook via one of those apps would
reset the switch for next time you accessed the site by other means, whereas
now it doesn't.

------
arrais
I wonder if there is anyone working right now on an open source version for
that. I will not install Faceniff, but an open source equivalent would be
really attractive.

------
aw3c2
Direct link: <http://faceniff.ponury.net/>

