Original Date: November 7, 2014
I was watching this video on phone hacking,
And there was this part at around
12:45 where he was reading the password and email sent. Except what he was reading looked awfully familiar…
It was a simple HTTP POST request! I had to try it out.
Using Fiddler it becomes trivial to get the password entered.
If you try it on a
https site it’s a bit harder. But conveniently, Fiddler has an option that lets you intercept HTTPS traffic! So I managed to achieve something similar with Twitter, albeit I had to change settings on my computer to do this.
Moral of the story:
- Don’t send sensitive stuff if it’s not over a https connection.
- If you’re entering sensitive information via someone else’s computer, consider it not safe. Since you don’t know what kinda stuff is running in the background.
Very very cool stuff =)!
Be sure to checkout the other episodes of the series.
Follow up (4hrs later)
Turns out your everyday built-in web inspector accomplishes the same thing…
So… a bit anti-climatic haha ^^’