On Thu, Apr 23, 2009 at 2:35 PM, Dossy Shiobara <[email protected]> wrote: > > On 4/23/09 11:33 AM, Chad Etzel wrote: >> >> On Thu, Apr 23, 2009 at 11:19 AM, Dossy Shiobara<[email protected]> >> wrote: >>> >>> An attacker can't get in the middle of an >>> application communicating to Twitter using HTTP Basic Auth. >> >> WRONG. Anyone doing any sort of packet sniffing could easily get >> user/pass combos at will. Wireless promiscuous mode + WireShark = >> instant account hacking. This, of course, holds true only for http >> transactions (and not https transactions), but there are a good number >> of clients/apps that don't use the https endpoints. > > Packet sniffing as an attack vector is significantly more difficult to > achieve than the OAuth attack is. Defend against the more likely threats > before worrying about the less likely ones.
I wholeheartedly disagree. Sit in a tech conference room with a laptop and sniff away at least a hundred accounts in under 5 minutes. I'm not saying I've done it, but I'm not saying I haven't, either.... > >> Man in the middle attacks are certainly possible with Basic Auth as >> well. They just eat the original request, steal the user/pass combo, >> and do whatever they want with it. > > This is a standard phishing attack, and standard advice for anti-phishing > applies here. No, phishing != man-in-the-middle. If I hack a router to intercept all traffic headed toward twitter.com and then grok out the credentials, this is has nothing to do with social engineering or phishing... I've just screwed your account, and you have no idea how. Obviously there are attack vectors with both methods, but I contend that Basic Auth is much much much easier to attack than OAuth (even in its current state, and even moreso when it is upgraded/patched to deal with this new vector). -Chad
