It took quite a long time, but now DroidSheep v14 is out and ready to be downloaded!
It contains some nice features, like name resolution for facebook, twitter and some other accounts.
By now it also shows the IP of the sessions origin.
It will inform you in case a new version is available on droidsheep.de
There also have been some bugfixes and layout enhancements.
Watch it in action on YOUTUBE or try it immediately from the GET-IT section.
Note: If you have trouble when trying to install the app, please uninstall the old version first!
It was October 2010, when Eric Butler introduced “Firesheep” - an easy to use Firefox plug-in for Session hijacking on Windows and Mac. There soon was a big hipe and lots of ethic discussion about that - though the attack itself was neither new nor based on exploits, but only uses data which is shout as a wireless broadcast over the air.
In January 2011, facebook took care of the public pressure and added optional HTTPS support to their web site.
But there is one thing specially mobile users should not forget: The HTTPS setting does not work for m.facebook.com - there is no encryption for the mobile version of the facebook web site.
Another thing is the facebook Android app: Facebook enforces every developer, who wants to use facebook API in his application, to use SSL for any request to facebook (LINK). This is ironic - they do not use encryption for their api themselves!
The official facebook Android app sends it’s cookie and HTTP requests unencrypted to facebook and DroidSheep can simply hijack the requests and the account - even if the user has HTTPS enabled.
So if someone uses mobile website or Android App (I don´t have an iPhone but I can imagine there is no security too in iOS facebook App) there is no way for him to secure his session against hijacking. This is very poor, facebook!
I made a short screencast that shows this lack of security.
