A new Android application allows its users to sniff out and hijack unencrypted Facebook, Twitter and Amazon accounts over Wi-Fi networks.
FaceNiff, an app created by Polish developer Bartosz Ponurkiewicz, isn't even on the Android Market yet (and seemingly only available for download from his website) but is making lots of news mainly because of ethical and security concerns. As Ponurkiewicz says on the site, "Legal notice: this application is for educational purposes only. Do not try to use it if it's not legal in your country.
I do not take any responsibility for anything you do using this application. Use at your own risk."
There's certainly reason for the statement, because hijacking and using someone else's account can be be a legal risk -- we do have federal laws against wiretapping -- aside from just being a douchey thing to do.
The application is not the first to give user the power to hack into other's information. Last year, Firesheep, a Firefox plug-in, also could give users access to strangers' unencrypted Wi-Fi browsing sessions. However, FaceNiff differs because it does work on WPA-encrypted Wi-Fi networks.
The FaceNiff app also has to be downloaded by someone with a rooted, or hacked, Android phone, so this isn't an app for a general audience -- it's for someone with a little more technical experience. This makes us realize that the people with the most to lose in this situation is the average person using Wi-Fi on an unencrypted account -- usually free Wi-Fi at a cafe or business.
While the app can hack into encrypted Wi-Fi, it can't bypass SSL (secure sockets layer) or the S on HTTPS, at the beginning of Facebook's new secure login. Twitter also has an opt-in for HTTPS which protects from Wi-Fi hijacking (check Account Settings.) So, if using public Wi-Fi, realize that all unencrypted accounts can be read and accessed by someone standing across the room or down the street. Protect yourself.