Recently Raul Siles, Founder and Senior Security Analyst with Taddong.com discovered the Twitter Credentials Disclosure stating the vulnerabilities in the HTC Peep (Twitter) Application. Didn’t know there were any? These could have potentially displayed your Twitter credentials, making them vulnerable to eavesdropping attacks.
HTC and Twitter have been really quiet on this matter and are working fast to get it fixed. They say there is already an update that’s just not made public just yet. We are sure it will be available soon, or at least hope so. Here are some details on what’s going on. Be sure to check the source for the full story.
Vulnerability description:
HTC Peep is vulnerable to two different credentials disclosure vulnerabilities during the authentication process against the Twitter service (twitter.com).
Both vulnerabilities are during the authentication process, the HTC Peep application basically establishes a few different HTTP requests, making the authentication process vulnerable to eavesdropping attacks because it’s not secure enough. This authentication exchange should be protected by HTTPS, forcing the credentials to be sent over an encrypted channel.
The discovery of these vulnerabilities was aligned with Twitter’s announcement to increase the security of third-party apps: “Starting August 31, all applications will be required to use “OAuth” to access your Twitter account“. This service switch didn’t make any difference regarding this vulnerability, however, as this advisory demonstrates, technology must be implemented properly.
In the past Twitter developers have been able to choose one of two authentication methods: Basic Authentication or OAuth. Somehow, HTC Peep is using both methods simultaneously, exposing the user credentials. Now what do you think about that? Do you use HTC Peep? Let us know what you think!
Thanks Jake!