May42008
Use Hahlo Twitter Client with Caution
Hahlo is a really nice Twitter client targeted primarily at the iPhone, but also usable from any browser. Unfortunately, it handles authentication in a completely insecure way, exposing users’ twitter credentials to any third party sniffing packets on the network.
For starters the login page does not use SSL. This in and of itself is a problem since for that one login request a user’s login credentials are exposed, but it’s actually much worse. Hahlo stores a user’s username and password unencrypted in cookies. This means that every single request to hahlo (even ones for images) includes the user’s username and password completely in the clear.
This is unacceptable for a production application, especially since it’s undisclosed. Definitely don’t use it at a coffee shop, tech conference or college campus. Or if you connect to the internet with a cable modem.
Update: @hahlo complained on twitter that I didn’t mention other twitter clients are equally insecure. This is true (just confirmed PocketTweets has exactly the same vulnerability). I singled out Hahlo because it was a new release getting a lot of attention. But this is no excuse not to fix (or at least disclose) that hahlo is so insecure.
The fix is not hard, either.
1) buy an SSL cert for $30
2) setup https://hahlo.com
3) use 2-way encryption on the cookie so that only with a secret can it be read
(This is how Quotably handles authentication.)