Glad you stepped in, Chad, because I felt really stupid for a second. And like I said, it's less harmful to have your oAuth session stolen (you can just unauthorize the application) than to have your plain twitter credentials exposed.
Anyway this is not the subject of this thread, I'm just glad we are going to be able to play with oAuth again soon :o) On Apr 23, 5:33 pm, Chad Etzel <[email protected]> wrote: > On Thu, Apr 23, 2009 at 11:19 AM, Dossy Shiobara <[email protected]> wrote: > > > An attacker can't get in the middle of an > > application communicating to Twitter using HTTP Basic Auth. > > WRONG. Anyone doing any sort of packet sniffing could easily get > user/pass combos at will. Wireless promiscuous mode + WireShark = > instant account hacking. This, of course, holds true only for http > transactions (and not https transactions), but there are a good number > of clients/apps that don't use the https endpoints. > > Man in the middle attacks are certainly possible with Basic Auth as > well. They just eat the original request, steal the user/pass combo, > and do whatever they want with it. > > -Chad
