A Twitter app called Peep is a mobile application found on HTC Devices, and according to Taddong’s security blog, there are some serious issues that cause the app to display a user’s Twitter credentials, making them vulnerable to eavesdropping attacks.
The vulnerabilities discovered by Raul Siles, founder and senior security analyst at Taddong, are found within the way that Peep connects to Twitter as well as the way the HTTP requests are handled after a user has established a connection.
Today Taddong posted a lengthy explanation of how HTC Peep clearly posts both a user’s Twitter name and password in the third HTTP request while requesting the “/oauth/authorize” resource.
The first vulnerability resides in the third HTTP request, a POST request towards the “/oauth/authorize” resource, which contains several parameters, including the Twitter username and password in the clear, making the authentication process vulnerable to eavesdropping attacks -Taddong
The second vulnerability that happens after the connection is established causes all of the HTTP requests between Twitter and the device to again display both the user’s Twitter name and password in the authentication header. Toddong mentions this shouldn’t be happening because the app is supposed to be using OAuth, a technology and open standard that enables apps to connect to services like Twitter.
..all the HTTP requests from the mobile device to the Twitter service include an HTTP Basic authentication header that contains the Twitter username and password (although the app is supposed to be using OAuth)
As of 6pm CET today, HTC has confirmed that there is now an update but for whatever reason it’s not available publicly. HTC customers who are concerned about the issue must contact HTC directly.