Jump to content

Twitter


joeypesci
 Share

Recommended Posts

As a total noob on hacking, I learn tiny amounts as I go along. Looking at Man In The Middle attacks at the moment, but waiting for some kit to arrive to do it on my own network.

While waiting, I just decided to run NetworkMiner recommended on a Hak5 episode.

Bored tonight so got it running while surfing the net. Logged into Twitter and check the Credentials field in NetworkMiner. As suspected it's protected so no user name or password was picked up. However, going into my twitter settings and changing my e-mail settings it asked me to re-enter the password for security as it does. Did that, then check NetworkMiner again and low and behold, it appears that password boxes isn't protected at all as NetworkMiner picked up the password that time.

Just thought it was a bit interesting :)

Link to comment
Share on other sites

As a total noob on hacking, I learn tiny amounts as I go along. Looking at Man In The Middle attacks at the moment, but waiting for some kit to arrive to do it on my own network.

While waiting, I just decided to run NetworkMiner recommended on a Hak5 episode.

Bored tonight so got it running while surfing the net. Logged into Twitter and check the Credentials field in NetworkMiner. As suspected it's protected so no user name or password was picked up. However, going into my twitter settings and changing my e-mail settings it asked me to re-enter the password for security as it does. Did that, then check NetworkMiner again and low and behold, it appears that password boxes isn't protected at all as NetworkMiner picked up the password that time.

Just thought it was a bit interesting :)

When you changed the settings what settings did you actually change? The https to http settings?

Link to comment
Share on other sites

When you changed the settings what settings did you actually change? The https to http settings?

Account settings. You go in and change stuff like unticking the box so people can't find you via your e-mail address on Twitter, stuff like that. Just Twitters settings. It then asks you to put in your password again before it accepts any changes (their security message). And it's that password box that pops up that isn't encrypted.

And no it wasn't a phishing attack someone had done on me :)

Just odd that the main login is encrypted but clearly this so called added security, isn't.

Link to comment
Share on other sites

Account settings. You go in and change stuff like unticking the box so people can't find you via your e-mail address on Twitter, stuff like that. Just Twitters settings. It then asks you to put in your password again before it accepts any changes (their security message). And it's that password box that pops up that isn't encrypted.

And no it wasn't a phishing attack someone had done on me :)

Just odd that the main login is encrypted but clearly this so called added security, isn't.

Thats actually a good catch and something you should bring to the attention of Twitter folks. Report it as a bug if you will, but something like that should be secured in the same manner as their login pages are. Also, if you were using network miner, even if you logged in and it didnt get your password, did it get your cookies ;). You dont always need a password to login to websites. Cookies are often all you need, and easily captured via mitm and session hijacking. Hell, if you have physical access to a machine, you could dump the cookies from the local users browsers and take them home with you to login as them without the need for their email or password.

Some applications are even weaker and only reuqire you to pass a secret hash to them, such as games on Facebook. I have a link I constructed from wireshark using only the swf file with an appended set of keys that allows me to login to a game as another user, without having to be logged into facebook as that user. What that means is that you can basically impersonate someone in a game, chat with that persons friends, wreck havock in their game and settings and destroy their game stats if you were malicious enough.

Link to comment
Share on other sites

Fuck me the whole system is flawed.

I'm not sure if it's Twitter or the way Firefox is handling it as I haven't tested in IE. I tried again and it didn't sniff it, then the 2nd attempt it did. However, I also went to change the password of the actual account and just decided to monitor it on the off chance.

And guess want. It sniffs that as well. NetworkMiner however, in the credentials field, shows the old password in the password field, and in the username field shows the new password.

I assume this still means both passwords are being sent unencrypted.

On that note, I'd never use Twitter on a public shared connection ever again :)

Link to comment
Share on other sites

I think partly the issue with taking more than one attempt is Network Miner is probably dropping packets. You could try Wireshark and give it a nice fat buffer to write with and not show in real time, then annalyze aferwards to make sure you didnt lose any packets. Chances are its just network miner dropping or not capturing all the packets, as it took you more than one attempt, it might just be slow to update in real time. Wireshark in my opinion is much better, but doesnt sort things for you like Network Miner does. You could however(correct me if I am wrong) import a pcap file in network miner from wireshark for further breakdown.

I just tweeted about your vids too. One thing I noticed though. When on twitter and you want to change your password, if you are coming from your tweets, your on http. You can manually change it to https BEFORE changing your passwords though. Try that and see if network miner still finds them.

Edited by digip
Link to comment
Share on other sites

Fuck me the whole system is flawed.

I'm not sure if it's Twitter or the way Firefox is handling it as I haven't tested in IE. I tried again and it didn't sniff it, then the 2nd attempt it did. However, I also went to change the password of the actual account and just decided to monitor it on the off chance.

And guess want. It sniffs that as well. NetworkMiner however, in the credentials field, shows the old password in the password field, and in the username field shows the new password.

I assume this still means both passwords are being sent unencrypted.

On that note, I'd never use Twitter on a public shared connection ever again :)

I don't think it would firefox though, it would definitely be a bug on their website coding somewhere.

Edited by Infiltrator
Link to comment
Share on other sites

I think partly the issue with taking more than one attempt is Network Miner is probably dropping packets. You could try Wireshark and give it a nice fat buffer to write with and not show in real time, then annalyze aferwards to make sure you didnt lose any packets. Chances are its just network miner dropping or not capturing all the packets, as it took you more than one attempt, it might just be slow to update in real time. Wireshark in my opinion is much better, but doesnt sort things for you like Network Miner does. You could however(correct me if I am wrong) import a pcap file in network miner from wireshark for further breakdown.

I just tweeted about your vids too. One thing I noticed though. When on twitter and you want to change your password, if you are coming from your tweets, your on http. You can manually change it to https BEFORE changing your passwords though. Try that and see if network miner still finds them.

Tried all above now. Wireshark did pick it up as well and imported the pcap into Miner as it does all the filtering :)

Looking back at my vids I did notice some of them appear to have the https but then when you put in your details Twitter is dropping the s.

I've done a test as you suggested and changed the http to https before typing in the password but it makes no difference. Wireshark and miner are still picking up the passwords.

So it does seem that Twitter are sending the passwords in plain text.

Link to comment
Share on other sites

Tried all above now. Wireshark did pick it up as well and imported the pcap into Miner as it does all the filtering :)

Looking back at my vids I did notice some of them appear to have the https but then when you put in your details Twitter is dropping the s.

I've done a test as you suggested and changed the http to https before typing in the password but it makes no difference. Wireshark and miner are still picking up the passwords.

So it does seem that Twitter are sending the passwords in plain text.

That's very strange, https is suppose to prevent you or anyone else from seeing the password in clear text.

Edited by Infiltrator
Link to comment
Share on other sites

Yeah but I think what is happening is, as soon as you press enter, it's removing the S.

Also in the settings section, when it asks you to confirm the password, I wonder if that password box that pops up is classed as a new session of IE/Firefox that is just running http

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...