Musings of a Fondue

Http Sniffing

Original Date: November 7, 2014

I was watching this video on phone hacking,

And there was this part at around 12:45 where he was reading the password and email sent. Except what he was reading looked awfully familiar…

It was a simple HTTP POST request! I had to try it out.

Using Fiddler it becomes trivial to get the password entered.

If you try it on a https site it’s a bit harder. But conveniently, Fiddler has an option that lets you intercept HTTPS traffic! So I managed to achieve something similar with Twitter, albeit I had to change settings on my computer to do this.

The full Twitter request,

And using Python to decode it,

Moral of the story:

  • Don’t send sensitive stuff if it’s not over a https connection.
  • If you’re entering sensitive information via someone else’s computer, consider it not safe. Since you don’t know what kinda stuff is running in the background.

Very very cool stuff =)!
Be sure to checkout the other episodes of the series.

Follow up (4hrs later)

Turns out your everyday built-in web inspector accomplishes the same thing…

So… a bit anti-climatic haha ^^’