A developer has released an app for Android handsets that brings website credential stealing over smartphones into the script kiddie realm. FaceNiff, as the Android app is called, can be used to steal unencrypted cookies on most Wi-Fi networks, giving users a point-and-click interface for stealing sensitive authentication …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Saturday 4th June 2011 05:20 GMT Anonymous Coward

>"rolled out increasingly thanks to the growing awareness"

And this is why full disclosure is the right thing to do. If you don't do it, the big firms never fix anything. If you do, things get fixed. It's a no-brainer.

3 0
Saturday 4th June 2011 05:20 GMT Anonymous Coward

I wonder

If it was called GooNIff and sniffed the (previously unencrypted) Google authentication tokens, would Google remote kill the application?

Even with the fix (has it gone everywhere?) it should be possible to use the same ARP poisoning used in this one to convince the Androids to stupidly fall back on HTTP.

Guess there's only one way to find out.

1 0
1. Saturday 4th June 2011 19:37 GMT Anonymous Coward
  
  title
  
  "Even with the fix (has it gone everywhere?) it should be possible to use the same ARP poisoning used in this one to convince the Androids to stupidly fall back on HTTP."
  
  The fix was server based according to this[1] article - so I assume the fix went along the lines of forcing encryption on the server.
  
  "The server-side fix addresses an implementation error in earlier versions of Android, which is used by more than 99 percent of those using the mobile operating system, according to Google figures. Versions 2.3.3 and earlier failed to transmit authentication tokens over an encrypted channels."
  
  1. http://www.theregister.co.uk/2011/05/18/google_android_security_fix/
  
  1 0
  1. Sunday 5th June 2011 00:06 GMT Anonymous Coward
    
    @AC
    
    It's a big problem that today's society doesn't follow up on information and just take journalists or bloggers word for it. Even though Mr Goodin tries somewhat, he like others have deadlines or other issues to attend and thus takes shortcuts.
    
    Going back to the source of the original article (Uni Uulm), they have now posted:
    
    "Google announced that they are going to fix the issue also for devices with older Android versions. The fix does not require an update of the Android OS and will be transparent to the user. So, as far as we know, users will not get any feedback when the update will be available on their devices. The fix is based on a changed configuration file for Google services on the device. The update mechanism might be similar to the application removal or Android Cloud to Device Messaging (C2DM) features. The update will only ensure encrypted synchronization of Calendar and Contacts. The Picasa synchronization, which was integrated in Android 2.3, will remain unencrypted.
    
    Note: The fix will not prevent the reuse of already captured authTokens. So if you think that you were compromised, e.g., some contacts or events changed or disappeared, you should immediately change the password of your Google account. This will render all existing authTokens for this particular account useless." [1]
    
    So
    
    1) Picasa is still as bad as it was
    
    2) Calendar and Contacts just require a bit more skill as it wasn't really a server side thing, just a configuration update on the devices.
    
    Learn to be a bit more critical of the sources you read.
    
    [1] http://www.uni-ulm.de/en/in/mi/staff/koenings/catching-authtokens.html
    
    1 0
Saturday 4th June 2011 08:34 GMT Pen-y-gors

What a good idea...

So when is El Reg going to support always-on SSL (or even sometimes on) for the comments?

11 0
1. Saturday 4th June 2011 19:41 GMT dephormation.org.uk
  
  Or even for the content?
  
  So we can read what we like without fearing that BT/Phorm, Vodafone/Bluecoat, or TalkTalk/Huawei or any other bent ISP can monitor, censor, or interfere with the articles here?
  
  If only to save your revenue. One of those three bragged they were capable of rewriting ads on the fly... to make them 'more relevant'.
  
  C'mon Reg. You're supposed to be savvy. You know what these evil crooks are doing. Set an example.
  
  It is time to encrypt the web.
  
  6 0
Saturday 4th June 2011 15:00 GMT Anonymous Coward

Wake me up

when I can run AirCrack on my Android. Sniffing cookies is one thing. Playing with the network would be a lot more fun. ;-)

1 0
Saturday 4th June 2011 19:37 GMT Steven Knox

Always-on SSL

It's been time for always-on SSL since about 2005.

But SOME companies still refuse to move to it.

2 0
1. Monday 6th June 2011 09:54 GMT Peter Ford
  
  Stop the gravy train...
  
  If SSL certificates were not such a cash-cow for Verisign and the likes, SSL might have been adopted earlier. We need a trusted root provider that doesn't charge (excessively) for a couple of bytes - maybe one of the Universities could do it?
  
  2 0
  1. Monday 6th June 2011 19:40 GMT Anonymous Coward
    
    Whilst I agree about Verisign...
    
    ..the main issue is around stopping unencrypted traffic (not proof of server identity). Therefore any cheap/free certificate authority will suffice for most sites. Admittedly they SHOULD be ensuring their identity also (so should be using a trusted authority) but would you care for sites like El Reg? Not really - even a cheap Comodo cert would do to enable the encryption.
    
    0 0
Sunday 5th June 2011 12:33 GMT Anonymous Coward

Tunnels/VPN

I always find it better to use a tunnel for any connection, the WPA2 hotel network is worse than open access as peple somehow trust it, and the DNS poisoned caching, URL rewriting, transparent proxy connection to their online banking account.

Unless it's all wrapped up in a tunnel you may as well have no security at all.

2 0