5,600,984 Members 43,700 Now Online
XDA Developers Android and Mobile Development Forum

HTC Peep

Tip us?
 
egzthunder1
Old
#1  
egzthunder1's Avatar
Member Advocate Admin - Spirit of XDA - OP
Thanks Meter 4241
Posts: 17,824
Join Date: Jul 2005
Location: At The Good End Of My Hammer, Likes: My Family & XDA, Dislikes: Incompetence
Default HTC Peep

Seems that HTC is finally acknowledging Peep's vulnerabilities and while not publicly releasing an update, they will send it out to people who request it...

http://blog.taddong.com/2011/02/vuln...p-twitter.html

"As I walk through the Valley of the Shadow of Death, I fear no evil for I am the God of Death... and this is my valley"



I have ORD

Want to see my devices? Click Below

 
HTC Blue Angel
ROM: WM 6.5.3 Build 23698 by d-two
Radio: 1.15

HTC Vogue (Verizon Touch)
ROM: Froyo Android (NAND) by incubus26j
Radio: 3.42.50

HTC EVO 3D
ROM: YAS4 v9 by howpathetic (ICS 4.0.4)
PRI: 1.43_003
Radio: 1.09.00.0706
HBOOT: Eng HBOOT (S-OFF)

Sony Xperia T LT30p
ROM: Stock, 91.A.0.148 (Jelly Bean 4.1.2)
Bootloader: Locked

Sony Xperia Z Ultra - GPE
ROM: Stock, Unrooted (KitKat 4.4.2)
Bootloader: Locked

Huawei Premia 4G
ROM: Stock, Rooted (ICS 4.0.4)





Learn how to flash: CDMA Rapahel, Vogue
The Following User Says Thank You to egzthunder1 For This Useful Post: [ Click to Expand ]
 
cajunflavoredbob
Old
#2  
cajunflavoredbob's Avatar
Senior Member
Thanks Meter 6745
Posts: 9,545
Join Date: May 2010
Location: New Orleans
It's about time they got a fix out for it!

By the way, the Tweet for @xdadevelopers went out saying this was for Android users, instead of Windows Mobile users.
¯-.¸¸.·´¯-.¸¸.·´¯-.¸¸.·´¯ New users: Please click HERE or HERE before posting ¯-.¸¸.·´¯-.¸¸.·´¯-.¸¸.·´¯

PHP Code:
public class XDA {
    public static 
void main(String[] args) {
        
System.out.println("XDA Member");
                if (
You beg for thanks) {
                        
"Go Jump Off a Bridge!";
        }
    }

------------------------------------------------------------------------------------------------
Whoso findeth a wife findeth a good thing, and obtaineth favour of the Lord. –Proverbs 18:22 KJV
 
orb3000
Old
#3  
orb3000's Avatar
XDA News Writer / Senior Moderator
Thanks Meter 3010
Posts: 22,272
Join Date: Feb 2007
Location: T r a v e l i n g Likes: HTC & XDA Dislikes: apples...

 
DONATE TO ME
We have published an article regarding this situation on our Portal

http://www.xda-developers.com/androi...bility-update/
orb


HTC One Max - HTC Butterfly S - HTC Universal

XDA is about developing and is for developers. Any user that recognises that will gain the most benefit from this site


 
This is and always will be a site for developers, pure and simple. Without them we are nothing, without them there would be no reason for XDA Developers to exist; we should never ever forget that. Without them this place would not be called XDA-Developers but something else, e.g Mobile Phone User Support Services For Ungrateful Nerds.

Previous devices: HTC: Treo 650 - Excalibur - Diamond - Diamond 2 - Maple - HD2 - Rhodium - Desire Z - Desire HD - Vivid - Sensation - One V - One X - Titan II - One X+ - DNA - Butterfly
 
BrotherG
Old
#4  
BrotherG's Avatar
Senior Member
Thanks Meter 14
Posts: 177
Join Date: Aug 2007
How did you find the vulnerability, is there a packet analyzing tool for android?
 
cajunflavoredbob
Old
#5  
cajunflavoredbob's Avatar
Senior Member
Thanks Meter 6745
Posts: 9,545
Join Date: May 2010
Location: New Orleans
Default No luck

I just received a response from HTC saying they have no idea what I'm talking about. I just sent them back a response with the linked article. Hopefully someone can get the update from them and post it here so we don't have to deal with them at all.
¯-.¸¸.·´¯-.¸¸.·´¯-.¸¸.·´¯ New users: Please click HERE or HERE before posting ¯-.¸¸.·´¯-.¸¸.·´¯-.¸¸.·´¯

PHP Code:
public class XDA {
    public static 
void main(String[] args) {
        
System.out.println("XDA Member");
                if (
You beg for thanks) {
                        
"Go Jump Off a Bridge!";
        }
    }

------------------------------------------------------------------------------------------------
Whoso findeth a wife findeth a good thing, and obtaineth favour of the Lord. –Proverbs 18:22 KJV
 
Lothaen
Old
#6  
Lothaen's Avatar
Senior Member
Thanks Meter 401
Posts: 3,993
Join Date: Jun 2010
So is this Windows mobile only, or Android too?

Sent from my HTC Desire using XDA App
Do you want to follow me?
G+ | Twitter

Phone History:
Phillips Cellnet > Phillips Savvy > Nokia 3210 > Motorola V66i > Motorola V3 RAZR > Motorola K1 KAZR >

HTC Touch HD > HTC Desire (RUUs | S-OFF) > HTC Evo 3D GSM - S-OFF (RUUs) > LG Nexus 4

Tablet History:
Motorola Xoom - WiFi MZ604

HP TouchPad 16GB - WebOS 3.0.5 / CM10
 
cajunflavoredbob
Old
#7  
cajunflavoredbob's Avatar
Senior Member
Thanks Meter 6745
Posts: 9,545
Join Date: May 2010
Location: New Orleans
Quote:
Originally Posted by Lothaen View Post
So is this Windows mobile only, or Android too?

Sent from my HTC Desire using XDA App
I don't think Android uses Peep in its interface for Sense. I'm not 100% positive on that, but I know we've had an issue with this for WM for about five or six months now.
¯-.¸¸.·´¯-.¸¸.·´¯-.¸¸.·´¯ New users: Please click HERE or HERE before posting ¯-.¸¸.·´¯-.¸¸.·´¯-.¸¸.·´¯

PHP Code:
public class XDA {
    public static 
void main(String[] args) {
        
System.out.println("XDA Member");
                if (
You beg for thanks) {
                        
"Go Jump Off a Bridge!";
        }
    }

------------------------------------------------------------------------------------------------
Whoso findeth a wife findeth a good thing, and obtaineth favour of the Lord. –Proverbs 18:22 KJV
 
cajunflavoredbob
Old
(Last edited by cajunflavoredbob; 5th February 2011 at 08:11 PM.)
#8  
cajunflavoredbob's Avatar
Senior Member
Thanks Meter 6745
Posts: 9,545
Join Date: May 2010
Location: New Orleans
In trying to get a hold of this update, here are my responses from HTC so far for anyone interested.

Quote:
Originally Posted by Me
I just heard about the update to HTC Peep for Windows mobile users. I have an AT&T Tilt2 with Sense loaded on it. I was hoping you guys could send me the Peep update so I could use that tab again without worrying.
Quote:
Originally Posted by Kathleen
I understand how important it is for you to be able to update your Peep application. Unfortunately, we are not aware of an update for the Peep application. I have looked for the update and it is nowhere to be found. You will need to keep an eye on http://www.htc.com/us/support/tilt-2-att/downloads/ for updates for your device.
Quote:
Originally Posted by Me
I read about the security flaw in the HTC Peep tab back in August and never used it because of this. The Peep application discloses the username and password via a HTTP OAuth-related request during the initial sign in to anyone eavesdropping on the connection. It also exposes the username and password after the connection is established by having all of the requests from the mobile device to the Twitter service use a HTTP Basic authentication header even though the app is supposed to be using OAuth. For more information, please refer to this article: http://blog.taddong.com/2011/02/vuln...p-twitter.html
Quote:
Originally Posted by Lindsay
We have not made an official update, any updates found on 3rd Party websites are up to you to do the research and download yourself. Just know these updates are considered rooting on your Tilt 2, so make sure before you update you do the research.
Quote:
Originally Posted by Me
Then when will the update be made public? It is kind of a pain that I've waited for six months now to use a feature of this device because of a security issue. Also, how would this be considered rooting since I'm not using an Android device? Windows Mobile users have administrator-like privileges by default in this operating system. There is no such thing as rooting on a Windows Mobile device.
Quote:
Originally Posted by Lindsay
If you re-write the ROM it is considered rooting. If you can add any applications to the SD Card and install it to the device, that is not rooting. We do not have any information on any updates available for your device at this time. I apologize that we do not have any updates for HTC Peep.
Quote:
Originally Posted by Me
I don't mean to sound insulting, but rooting is not the same as flashing a custom ROM. Rooting is gaining root-level administrator privileges on a Linux based operating system. Windows Mobile provides this access to the user by default. There is no other setting for this. Android, being a Linux based distro, does not come with root privileges installed to protect itself from users inadvertently messing around with things they shouldn't. It is the same thing on desktop operating systems like Ubuntu, Fedora, and the like. Rooting is completely different from flashing a custom ROM, as you are suggesting. Either way, an updated Sense tab using HTTPS, as it originally should have done, would be as simple as installing a *.cab file. My question, then, becomes to whom should I address this issue to get further support should I decide to call about it with the information I have?
Quote:
Originally Posted by Lindsay
The fact is we do not have an update for your device at this time. I apologize for this, but at this time we do not have any updates.
Quote:
Originally Posted by Me
Yes, you mentioned that. I asked whom I should voice my concerns with since this is the case. I understand that you don't have any information to offer me. I wasn't questioning that. I would simply like to know where I should go from here as there has been a serious security flaw in this device for quite some time. I do not mean to insult you, if I have done so, and apologize if I have, but I want this matter resolved once and for all. Obviously, the users are not allowed to modify the HTC Sense code or this would have been resolved some time ago. If some users were allowed the Peep source code, this could be rectified very quickly with the SenseSDK, but as that isn't an option, I, and several others, look to HTC to provide support for their product and software. If it is simply a problem of my device becoming outdated, then the HTC HD2 (Leo_512, Leo_1024) has the same problem on the latest ROM image as well.
Quote:
Originally Posted by Lindsay
I have sent the forum you sent me to the appropriate department for review. If you would like to troublahoot you device I would be glad to further assist you, but at this time this email will need to be closed if there is no troubleshooting to be done on your device. Again, I have sent the forum to the appropriate department.

THREAD CLOSED
It doesn't look like HTC is playing ball here. I'm going to continue to try to figure this out as I would love to actually be able to use the Twitter tab for a change. I never really used it because of the security flaw that was found.
¯-.¸¸.·´¯-.¸¸.·´¯-.¸¸.·´¯ New users: Please click HERE or HERE before posting ¯-.¸¸.·´¯-.¸¸.·´¯-.¸¸.·´¯

PHP Code:
public class XDA {
    public static 
void main(String[] args) {
        
System.out.println("XDA Member");
                if (
You beg for thanks) {
                        
"Go Jump Off a Bridge!";
        }
    }

------------------------------------------------------------------------------------------------
Whoso findeth a wife findeth a good thing, and obtaineth favour of the Lord. –Proverbs 18:22 KJV
 
reverepats
Old
#9  
reverepats's Avatar
Recognized Themer
Thanks Meter 4564
Posts: 6,051
Join Date: Dec 2010
Location: Boston,MA

 
DONATE TO ME
Default i contected taddong and they told me

yeah they told me they had no idea what i was talking about....i contacted "tadong" and they told me to sedn the link from there site regarding the issue to HTC and he would handle them if they wanted more info on it...i guess we'll see what happens

















It doesn't look like HTC is playing ball here. I'm going to continue to try to figure this out as I would love to actually be able to use the Twitter tab for a change. I never really used it because of the security flaw that was found.[/QUOTE]
 
xfullmetal17
Old
(Last edited by xfullmetal17; 6th February 2011 at 06:41 AM.)
#10  
xfullmetal17's Avatar
Senior Member
Thanks Meter 33
Posts: 558
Join Date: Jan 2011

 
DONATE TO ME
Uh... "If you can add any applications to the SD Card and install it to the device, that is not rooting."

Under that logic, if unrevoked forever ever releases a .apk to turn S-OFF, does that imply that merely doing that to get root access isn't rooting?

edit: this is what happens when companies aren't smart enough to release some kind of auto-app updater, separate from OTA updates. Stuff like this takes an eternity. How hard is it to add an "s" to the http of the authentication? (for that matter, why the hell is Twitter letting you log in this way in the first place?)

THREAD CLOSED
Subscribe
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


TRENDING IN THEMER...