Jump to content

Getting credentials from an app


botter911

Recommended Posts

I'm wondering how do apps(i.e Facebook, or Twitter) on an iphone or android device transmit the username and password?


We can always do a MITM attack using an SSL Strip to get the login credentials from a PC. However, how does the new Wifi Pineapple Nano get the login credentials if I am using an Facebook app(over wireless)? Can we still use the SSL Strip or is there any other MITM attack?

Link to comment
Share on other sites

I would sincerely hope that apps like Facebook and Twitter implement SSL pinning to protect against somehting like this.

Yes last time I looked those apps Cert Pin. Also you will find a lot of apps with use OAuth so don't store or transmit user/pass pairs. Though you can still use the OAuth token. Though the token is often limited in the functions it can do.

Edited by Karit
Link to comment
Share on other sites

Yes last time I looked those apps Cert Pin. Also you will find a lot of apps with use OAuth so don't store or transmit user/pass pairs. Though you can still use the OAuth token. Though the token is often limited in the functions it can do.

So does this mean that we can just gey their OAuths and not their exact credentials? Is this because it's pre logged in?

Link to comment
Share on other sites

  • 8 months later...
On 12/26/2015 at 3:31 AM, Karit said:

Yes last time I looked those apps Cert Pin. Also you will find a lot of apps with use OAuth so don't store or transmit user/pass pairs. Though you can still use the OAuth token. Though the token is often limited in the functions it can do.


I'm new here, basically there is no way to get access to the facebook/twitter  with their OAuth or whatever info we could get from the user?


 What if i don't want the user and pass,  what if i need only the email address and profile picture from the victim, and maybe post something on his/her wall


Is there a way to get that using the wifi pineapple nano?

Link to comment
Share on other sites

4 hours ago, yonomas said:

I'm new here, basically there is no way to get access to the facebook/twitter  with their OAuth or whatever info we could get from the user?
 What if i don't want the user and pass,  what if i need only the email address and profile picture from the victim, and maybe post something on his/her wall
Is there a way to get that using the wifi pineapple nano?

No. And what you intend to do is also illegal.

Link to comment
Share on other sites

19 minutes ago, Sebkinne said:

No. And what you intend to do is also illegal.

Well, get the pass using http is also illegal, but that's not the point, what i'm trying to do is for testing purposes only. 

My question is, can i get the OAuth? If so, what can i do with it? 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...