1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spoofing OAUTH to login with Twitter to Vine's undocumented API

Discussion in 'General Programming Chat' started by PowerSurge, Oct 3, 2013.

  1. PowerSurge

    PowerSurge Newbie

    Joined:
    Jun 11, 2012
    Messages:
    23
    Likes Received:
    2
    Hello all,

    As some of you may know, Vine has an undocumented API. To access it you simply do some snooping on packets going from the mobile app to Vine's servers to find out what the HTTP requests look like. You can then authorize a login and gain an access key by setting an email address and password within Vine's app and sending the appropriate HTTP requests.

    Another way to access Vine through the official application is by logging in with Twitter. Though it is a login method within the official application, I have not been able to spoof OAUTH and be able to login with Twitter for Vine applications I am trying to develop. However, I have seen an iOS application that connects with Vine and allows you to login with your twitter credentials.

    I am wondering if anybody has any experience with this sort of thing. If you do, I would really appreciate some answers as this is imperative to the functionality of an application I am trying to develop.

    -Surge
     
  2. sm754

    sm754 Registered Member

    Joined:
    Mar 21, 2012
    Messages:
    93
    Likes Received:
    38
    Occupation:
    Farmer
    Location:
    Azerbaijan
    Here is a very basic summary of how I proceed, generally, whether it's an undocumented API or just plain web interface:


    • Collect LOTS of data back-and-forth between your computer and the server
      • Make sure it's organized (timestamps, who's making what request in response to what, etc)
    • Develop a set of classes to represent API requests and responses
    • Develop methods to parse the raw API data from the server into these classes, and the classes into API data sent from your computer
      • Make sure your computer can reproduce the EXACT output of a real browser from the programmatic representation (spaces, weird Unicode characters, and all), and that you can parse all of your saved data
    • Build a "virtual" browser which will simulate everything necessary (timing, variables, maybe even a Javascript environment if the site has tricky protection like certain big search engines & social networks)

    Then, you just have to set up your web requests, making sure to switch up referrers, useragents, etc.

    In your specific case (iOS), if you haven't already, I would get started by using a proxy to sniff the requests made; if the requests are encrypted with HTTPS or something, you could try to use a man-in-the-middle attack on certificates; this might require jailbreaking or minor reverse engineering.
     
    • Thanks Thanks x 3
    Last edited: Oct 3, 2013
  3. PowerSurge

    PowerSurge Newbie

    Joined:
    Jun 11, 2012
    Messages:
    23
    Likes Received:
    2
    Thanks for the detailed response sm754. A few months ago, I went through and did the above bullet points, minus the virtual browser portion, by using Charles Proxy and a man-in-the-middle attack on certificates.

    I have intercepted the requests used when I log in to Vine with Twitter. I guess what my main question really should be is:

    What method do I use to generate the Oauth_nonce and Oauth_signature values so that the OAuth Twitter login appears to be coming from Vine, as opposed to my application?
     
  4. sm754

    sm754 Registered Member

    Joined:
    Mar 21, 2012
    Messages:
    93
    Likes Received:
    38
    Occupation:
    Farmer
    Location:
    Azerbaijan
    • Thanks Thanks x 1
  5. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,468
    Likes Received:
    10,148
    This is your answer but I 'm not sure how much you want to publish an app using someone else 's credentials. You 're leaving yourself wide open to getting sued.
     
  6. PowerSurge

    PowerSurge Newbie

    Joined:
    Jun 11, 2012
    Messages:
    23
    Likes Received:
    2
    Thanks for the response Jazz, I have been weighing the option. In terms of legality, how do most apps and websites that work through information found on other services go about doing things? Would I be better off accessing Vine by making users set emails and passwords and spoofing HTML requests from my application?

    Also, in terms of legality, how about websites like vinescope.com, or twitter/instagram aggregators that are already set up? Are these legal? It seems as though it is a large grey area without much legal precedent.