Facebook session hijacking

In previous blog, I taught you how to hide your identity when browsing internet. This time, I will take it furthure and teach you how to hack Facebook. Now many of you will use this to spy on your girlfried or boyfriend. I’d rather use to understand how vulnerable our cyber lives are. Anyhow, let me get down to business and teach you how to hack Facebook.

When this methods works:

This is a very simple method of hacking that only works when victim and hacker are using same network i.e. house internet, school network, or at work. This method also assumes that victim isn’t using HTTPS (secure) protocol to browse Facebook. If you don’t know what this means then you can check if vicitm’s web browser displays https:// before Facebook address. Also, many of Facebook gtames and applications don’t work with HTTPS protocol. If your target is using one of these applications. Any way, you won’t always have access to victim’s web browser or cell phone so let assume both conditions are met.

Tools you need:

You need a rooted Android phone and Droidsheep app. To downlaod Droidsheep from their official website click here. By the way, if you haven’t rooted your phone than you aren’t using Android to it’s fullest potential. Root your phone damn it.

Using FaceNiff:

Once you have downloaded FaceNiff, run this app and start fishing by clicking “Start”. Trial version only allows 3 active sessions but you can get an activation key to make it to unlimitted sessions. Here are some pictures to give you an overview of this app:

face1-169x300 face2-169x300
What else can this app hack?

FaceBook, Twitter, Youtube, Amazon, VKontakte, Tumblr, MySpace, Tuenti, MeinVZ/StudiVZ, blogger, and Nasza-Klasa.

Now the boring part!

How does it work?

This app uses a hacking technique called session hijacking. It is what it sounds like … you intercept your victim’s web session. Now this could be done by decrypting network traffic. Some times, you might get lucky and your victim’s web browser might be transmitting and receiving data in plain text. This should remind you of something I mentioned in a blog post before. Always try to use a secure session — look for 5 magic letters HTTPS in your address bar. In Facebook you can activate secure browsing by going into your Account Settings. Go ahead and do it now.

Happy hunting!

The author would love to hear your comments. Let us discuss at Twitter @hashtaginfosec.