« Calendar v0.1 – A Dynamic Javascript Date Picker…Tutorial | Main | Current Projects »
YouTube the plain-text password fairy
By Jeremy | July 30, 2008
So the other day I was doing some work and trying to explore different mainstream sites’ security models. I was using fiddler and firebug and just some simple tools. I tried Facebook and MySpace, Gmail and Yahoo and then I tried YouTube. I almost didn’t try because I figured, They are part of Google; I assume they just use https like Gmail. Well, folks, I was very wrong. I want to take you on a little journey with YouTube, the plain-text password fairy:
First, me, I created a nice fake profile: newuser258:
Next I started up fiddler and then I logged in with my new account:
Then I checked fiddler to see what exactly YouTube had sent through my browser and lo and behold, the plain-text password fairy was found out!
Well, I think the bottom line of all this is that the subsidiaries of the company that is not evil apparently don’t abide by the same non-evil rules.
Topics: Uncategorized | 1 Comment »
One Response to “YouTube the plain-text password fairy”
Comments
You must be logged in to post a comment.
July 26th, 2009 at 2:18 pm
Good to know… I have been using webscarab for a while now, but your fiddler looks pretty cool, i might have to look into that one.