botter911 Posted December 26, 2015 Share Posted December 26, 2015 I'm wondering how do apps(i.e Facebook, or Twitter) on an iphone or android device transmit the username and password? We can always do a MITM attack using an SSL Strip to get the login credentials from a PC. However, how does the new Wifi Pineapple Nano get the login credentials if I am using an Facebook app(over wireless)? Can we still use the SSL Strip or is there any other MITM attack? Quote Link to comment Share on other sites More sharing options...
White Light Posted December 26, 2015 Share Posted December 26, 2015 I would sincerely hope that apps like Facebook and Twitter implement SSL pinning to protect against somehting like this. Quote Link to comment Share on other sites More sharing options...
Karit Posted December 26, 2015 Share Posted December 26, 2015 (edited) I would sincerely hope that apps like Facebook and Twitter implement SSL pinning to protect against somehting like this. Yes last time I looked those apps Cert Pin. Also you will find a lot of apps with use OAuth so don't store or transmit user/pass pairs. Though you can still use the OAuth token. Though the token is often limited in the functions it can do. Edited December 26, 2015 by Karit Quote Link to comment Share on other sites More sharing options...
botter911 Posted December 27, 2015 Author Share Posted December 27, 2015 Yes last time I looked those apps Cert Pin. Also you will find a lot of apps with use OAuth so don't store or transmit user/pass pairs. Though you can still use the OAuth token. Though the token is often limited in the functions it can do. So does this mean that we can just gey their OAuths and not their exact credentials? Is this because it's pre logged in? Quote Link to comment Share on other sites More sharing options...
cooper Posted December 27, 2015 Share Posted December 27, 2015 OAuth uses a bearer token. If you have the token you can do the thing until it gets revoked. I recorded a talk by Jim Manico on the subject of OAuth. It's a cool concept. Quote Link to comment Share on other sites More sharing options...
yonomas Posted September 26, 2016 Share Posted September 26, 2016 On 12/26/2015 at 3:31 AM, Karit said: Yes last time I looked those apps Cert Pin. Also you will find a lot of apps with use OAuth so don't store or transmit user/pass pairs. Though you can still use the OAuth token. Though the token is often limited in the functions it can do. I'm new here, basically there is no way to get access to the facebook/twitter with their OAuth or whatever info we could get from the user? What if i don't want the user and pass, what if i need only the email address and profile picture from the victim, and maybe post something on his/her wall Is there a way to get that using the wifi pineapple nano? Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted September 26, 2016 Share Posted September 26, 2016 4 hours ago, yonomas said: I'm new here, basically there is no way to get access to the facebook/twitter with their OAuth or whatever info we could get from the user? What if i don't want the user and pass, what if i need only the email address and profile picture from the victim, and maybe post something on his/her wall Is there a way to get that using the wifi pineapple nano? No. And what you intend to do is also illegal. Quote Link to comment Share on other sites More sharing options...
yonomas Posted September 26, 2016 Share Posted September 26, 2016 19 minutes ago, Sebkinne said: No. And what you intend to do is also illegal. Well, get the pass using http is also illegal, but that's not the point, what i'm trying to do is for testing purposes only. My question is, can i get the OAuth? If so, what can i do with it? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.