Not using HTTPS?


#1

Was messing with some pretty basic session hijacking and password sniffing (basic as in using a freely available Android app), and was surprised at how easy it was to get my own username and password on my network. This can easily be extended to others on my network too (as in, I can session hijack and get the username/passwords of people who do anything on this site on my network), and can even be done on other networks too with ease.

To be fair though, this would likely be possible with any site that doesn’t use https for authentication, but I don’t know too many sites nowadays that don’t.

Should also note that I don’t specialize in network penetration at all, so the above is pretty basic/beginner-tier (generally speaking).

That was taken from http://yoyoexpert.com/privacy-statement.html but when I can get personal information from such basic tools, I really don’t think there’s much “precautions” going on.


#2

Good thing it’s just a yoyo forum.

Edit: Whoops sorry I think I misunderstood the thread.


#3

That is irrelevant.


#4

I think the key phrase here is, “on my network”.


#5

It is, but I suppose you could be on a shared network at a coffee shop or something, so it’s still a security concern. I personally still don’t get too bothered, though. Someone creating a middle-man attack has better targets than a person’s yoyo forum account.


#6

I only tested it on my network, but in reality, it could work anywhere. I could connect to a public hotspot and start sniffing.

As for what damage could be done; imagine being on the same network as a moderator. Anyone into causing some damage could have a bit of fun there. But at the very least, it’s a security concern, especially for people who don’t follow the “use a separate password for everything” rule.

Fortunately it seems the shop actually uses separate login credentials though (from what I’ve seen anyway; someone who’s actually used it might want to chime in), along with using HTTPS. On the other hand, how many people who have a customer account use separate credentials from that of their forum account?


#7

That free wifi at yoyo contests though. Anyways, just vpn it up.