I was watching this video on phone hacking,
And there was this part at around 12:45
where he was reading the password and email sent. Except what he was reading looked awfully familiar…
It was a simple HTTP POST request! I had to try it out.
Using Fiddler it becomes trivial to get the password entered.
If you try it on a https
site it’s a bit harder. But conveniently, Fiddler has an option that lets you intercept HTTPS traffic! So I managed to achieve something similar with Twitter, albeit I had to change settings on my computer to do this.
And using Python to decode it,
Moral of the story:
- Don’t send sensitive stuff if it’s not over a https connection.
- If you’re entering sensitive information via someone else’s computer, consider it not safe. Since you don’t know what kinda stuff is running in the background.
Very very cool stuff =)!
Be sure to checkout the other episodes of the series.
Follow up (4hrs later)
Turns out your everyday built-in web inspector accomplishes the same thing…
So… a bit anti-climatic haha ^^'