A Twitter app called Peep is a mobile application found on HTC Devices, and according to Taddong’s security blog, there are some serious issues that cause the app to display a user’s Twitter credentials, making them vulnerable to eavesdropping attacks.
The vulnerabilities discovered by Raul Siles, founder and senior security analyst at Taddong, are found within the way that Peep connects to Twitter as well as the way the HTTP requests are handled after a user has established a connection.
Today Taddong posted a lengthy explanation of how HTC Peep clearly posts both a user’s Twitter name and password in the third HTTP request while requesting the “/oauth/authorize” resource.
The first vulnerability resides in the third HTTP request, a POST request towards the “/oauth/authorize” resource, which contains several parameters, including the Twitter username and password in the clear, making the authentication process vulnerable to eavesdropping attacks -Taddong
The second vulnerability that happens after the connection is established causes all of the HTTP requests between Twitter and the device to again display both the user’s Twitter name and password in the authentication header. Toddong mentions this shouldn’t be happening because the app is supposed to be using OAuth, a technology and open standard that enables apps to connect to services like Twitter.
..all the HTTP requests from the mobile device to the Twitter service include an HTTP Basic authentication header that contains the Twitter username and password (although the app is supposed to be using OAuth)