Jump to content
botter911

Getting credentials from an app

Recommended Posts

I'm wondering how do apps(i.e Facebook, or Twitter) on an iphone or android device transmit the username and password?


We can always do a MITM attack using an SSL Strip to get the login credentials from a PC. However, how does the new Wifi Pineapple Nano get the login credentials if I am using an Facebook app(over wireless)? Can we still use the SSL Strip or is there any other MITM attack?

Share this post


Link to post
Share on other sites

I would sincerely hope that apps like Facebook and Twitter implement SSL pinning to protect against somehting like this.

Yes last time I looked those apps Cert Pin. Also you will find a lot of apps with use OAuth so don't store or transmit user/pass pairs. Though you can still use the OAuth token. Though the token is often limited in the functions it can do.

Edited by Karit

Share this post


Link to post
Share on other sites

Yes last time I looked those apps Cert Pin. Also you will find a lot of apps with use OAuth so don't store or transmit user/pass pairs. Though you can still use the OAuth token. Though the token is often limited in the functions it can do.

So does this mean that we can just gey their OAuths and not their exact credentials? Is this because it's pre logged in?

Share this post


Link to post
Share on other sites

OAuth uses a bearer token. If you have the token you can do the thing until it gets revoked.

I recorded a talk by Jim Manico on the subject of OAuth. It's a cool concept.

Share this post


Link to post
Share on other sites
On 12/26/2015 at 3:31 AM, Karit said:

Yes last time I looked those apps Cert Pin. Also you will find a lot of apps with use OAuth so don't store or transmit user/pass pairs. Though you can still use the OAuth token. Though the token is often limited in the functions it can do.


I'm new here, basically there is no way to get access to the facebook/twitter  with their OAuth or whatever info we could get from the user?


 What if i don't want the user and pass,  what if i need only the email address and profile picture from the victim, and maybe post something on his/her wall


Is there a way to get that using the wifi pineapple nano?

Share this post


Link to post
Share on other sites
4 hours ago, yonomas said:

I'm new here, basically there is no way to get access to the facebook/twitter  with their OAuth or whatever info we could get from the user?
 What if i don't want the user and pass,  what if i need only the email address and profile picture from the victim, and maybe post something on his/her wall
Is there a way to get that using the wifi pineapple nano?

No. And what you intend to do is also illegal.

Share this post


Link to post
Share on other sites
19 minutes ago, Sebkinne said:

No. And what you intend to do is also illegal.

Well, get the pass using http is also illegal, but that's not the point, what i'm trying to do is for testing purposes only. 

My question is, can i get the OAuth? If so, what can i do with it? 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...