On 4/23/09 11:33 AM, Chad Etzel wrote:
On Thu, Apr 23, 2009 at 11:19 AM, Dossy Shiobara<[email protected]> wrote:
An attacker can't get in the middle of an
application communicating to Twitter using HTTP Basic Auth.
WRONG. Anyone doing any sort of packet sniffing could easily get
user/pass combos at will. Wireless promiscuous mode + WireShark =
instant account hacking. This, of course, holds true only for http
transactions (and not https transactions), but there are a good number
of clients/apps that don't use the https endpoints.
Packet sniffing as an attack vector is significantly more difficult to
achieve than the OAuth attack is. Defend against the more likely
threats before worrying about the less likely ones.
Man in the middle attacks are certainly possible with Basic Auth as
well. They just eat the original request, steal the user/pass combo,
and do whatever they want with it.
This is a standard phishing attack, and standard advice for
anti-phishing applies here.
--
Dossy Shiobara | [email protected] | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
"He realized the fastest way to change is to laugh at your own
folly -- then you can let go and quickly move on." (p. 70)
