Faceniff monitors network traffic to extract the cookie from facebook web requests made by authenticated users. It then installs the cookie locally on the device and visits the facebook website successfully assuming the identity of the logged in facbeook user. Faceniff does not expose the user's facebook password, it only hijacks the session, and therefore expires when the session expires (which happens when the user clicks 'logout').
Faceniff does not defeat SSL so this attack can be prevented by enabling SSL encryption in your facebook settings and only viewing facebook over HTTPS.
http://faceniff.ponury.net/
No comments:
Post a Comment