Same idea as the other security flaw I found. The change password page I thought would at least be secure but it appears, even this page, Twitter is sending the passwords out in plain text instead of encrypting them.

Here the new password appears in the Username field of NetworkMiner. People may wonder what’s the use without a user name for these passwords. Well using other tabs in NetworkMiner you can get the username as well but I just never bothered to show that. Also, a lot of people have a bad habit of using the same password on other sites. So if someone gets your password for Twitter and you’re using it for, say, your googlemail account. If they find out your e-mail address then they’ll be able to get into that as well.

Further testing I changed the http to https before typing in the password. It’s making no difference. The password is still picked up by Wireshack and NetworkMiner. Meaning Twitter is sending the passwords in plain text.

I’m crap at explaining stuff so for a better and easier to understand explanation of a Man in The Middle Attack, check out Hak5’s vid

http://www.youtube.com/watch?v=N86xJpna9Js

UPDATE:

netresec.com used this video on their blog and said they reported this issue to Twitter security and got a swift reply. Good on them, but fuckers at Twitter never replied to me when I originally reported this. Besides, took them months to fix this which isn’t good.