Or Continue to Thread: HTC Peep
Find Your Device:
13th February 2011, 03:06 AM   |  #13  
cajunflavoredbob's Avatar
Senior Member
Flag Your Basement
Thanks Meter: 6,811
 
9,608 posts
Join Date:Joined: May 2010
More
Peep Update *.cabs
EDIT: DO NOT PM ME ABOUT THIS FIX. IT DOES NOT WORK.




Please do not PM me about this security fix. It has nothing to do with the current Twitter outage as of the beginning of May 2011.


After pulling them apart and recompiling them, with the help of JVH3, here are the HTC Peep Update *.cabs. These are for Windows Mobile users with version 6.5 or higher. It should work, in theory with version 6.1, but I didn't feel like testing it out. Obviously, you'll need Sense 2.5 as well. There are four versions, but they all seem to be exactly the same. I didn't notice any differences other than the dates they were packaged. The Rhodium version seemed to have a slightly smaller TwitterApp.exe file, but I still don't think it was different.

Disclaimer: I take no responsibility for anything you do to your devices. These are posted for informational purposes. If you choose to install the application update, then any side effects (of which there should not be) are on you.


Changes

This update changes the way the Twitter Tab (HTC Peep) authenticates your user account. Before this update, your account information is sent via unencrypted http headers upon login which reveal both the username and password to anyone who happens to be eavesdropping on the connection, whether it is by cellular data or wifi as seen below.
Code:
authenticity_token=c8b5abaf53f223e827d9258ddfef4285a816db5f&
oauth_token=I4FK956n1foaHjayLKXJT2IaBpsmoo0amKyPhebc&
session%5Busername_or_email%5D=USERNAME&session%5Bpassword%5D=PASSWORD
Also, when sending tweets or receiving them, their is a continuous authenticate request sent which exposes the username and password again as illustrated below.
Code:
GET /statuses/friends_timeline.json?count=50&page=1 HTTP/1.1
Accept: text/xml, application/xml;q=0.9, */*;q=0
Authorization: Basic BASE64("USERNAME:PASSWORD")
User-Agent: TwitterEngine
Host: twitter.com
I haven't been able to confirm the status of the current update yet with traffic monitoring, but according to HTC, this update sets the Peep application to use OAuth to establish a connection with https to encrypt the username and password instead of leaving it exposed for all the world to see.


EDIT: This is not a 100% fix. It seems that while the initial session is now being sent over https using TCP port 443 (sending against the api.twitter.com domain), during the rest of the session, Peep switches back to HTTP basic. This still leaves the whole session after the initial login vulnerable to hijacking based on the Twitter's session ID through cookies. I suggest using a different Twitter client, as neither HTC nor Twitter care for our aging devices.


EDIT: DO NOT PM ME ABOUT THIS FIX. IT DOES NOT WORK.
Last edited by cajunflavoredbob; 26th July 2011 at 02:23 AM. Reason: No one bothers to read anymore.
The Following 19 Users Say Thank You to cajunflavoredbob For This Useful Post: [ View ]