On Thu, Apr 23, 2009 at 11:19 AM, Dossy Shiobara <[email protected]> wrote: > > An attacker can't get in the middle of an > application communicating to Twitter using HTTP Basic Auth.
WRONG. Anyone doing any sort of packet sniffing could easily get user/pass combos at will. Wireless promiscuous mode + WireShark = instant account hacking. This, of course, holds true only for http transactions (and not https transactions), but there are a good number of clients/apps that don't use the https endpoints. Man in the middle attacks are certainly possible with Basic Auth as well. They just eat the original request, steal the user/pass combo, and do whatever they want with it. -Chad
