Spoofing OAUTH to login with Twitter to Vine's undocumented API

P

PowerSurge

Newbie
Joined
Jun 11, 2012
Messages
23
Reaction score
2
Hello all,

As some of you may know, Vine has an undocumented API. To access it you simply do some snooping on packets going from the mobile app to Vine's servers to find out what the HTTP requests look like. You can then authorize a login and gain an access key by setting an email address and password within Vine's app and sending the appropriate HTTP requests.

Another way to access Vine through the official application is by logging in with Twitter. Though it is a login method within the official application, I have not been able to spoof OAUTH and be able to login with Twitter for Vine applications I am trying to develop. However, I have seen an iOS application that connects with Vine and allows you to login with your twitter credentials.

I am wondering if anybody has any experience with this sort of thing. If you do, I would really appreciate some answers as this is imperative to the functionality of an application I am trying to develop.

-Surge
 
Advertise on BHW
Here is a very basic summary of how I proceed, generally, whether it's an undocumented API or just plain web interface:


  • Collect LOTS of data back-and-forth between your computer and the server
    • Make sure it's organized (timestamps, who's making what request in response to what, etc)
  • Develop a set of classes to represent API requests and responses
  • Develop methods to parse the raw API data from the server into these classes, and the classes into API data sent from your computer
    • Make sure your computer can reproduce the EXACT output of a real browser from the programmatic representation (spaces, weird Unicode characters, and all), and that you can parse all of your saved data
  • Build a "virtual" browser which will simulate everything necessary (timing, variables, maybe even a Javascript environment if the site has tricky protection like certain big search engines & social networks)

Then, you just have to set up your web requests, making sure to switch up referrers, useragents, etc.

In your specific case (iOS), if you haven't already, I would get started by using a proxy to sniff the requests made; if the requests are encrypted with HTTPS or something, you could try to use a man-in-the-middle attack on certificates; this might require jailbreaking or minor reverse engineering.
 
Last edited:
sm754 said:
Here is a very basic summary of how I proceed, generally, whether it's an undocumented API or just plain web interface:


  • Collect LOTS of data back-and-forth between your computer and the server
    • Make sure it's organized (timestamps, who's making what request in response to what, etc)
  • Develop a set of classes to represent API requests and responses
  • Develop methods to parse the raw API data from the server into these classes, and the classes into API data sent from your computer
    • Make sure your computer can reproduce the EXACT output of a real browser from the programmatic representation (spaces, weird Unicode characters, and all), and that you can parse all of your saved data
  • Build a "virtual" browser which will simulate everything necessary (timing, variables, maybe even a Javascript environment if the site has tricky protection like certain big search engines & social networks)

Then, you just have to set up your web requests, making sure to switch up referrers, useragents, etc.

In your specific case (iOS), if you haven't already, I would get started by using a proxy to sniff the requests made; if the requests are encrypted with HTTPS or something, you could try to use a man-in-the-middle attack on certificates; this might require jailbreaking or minor reverse engineering.
Click to expand...

Thanks for the detailed response sm754. A few months ago, I went through and did the above bullet points, minus the virtual browser portion, by using Charles Proxy and a man-in-the-middle attack on certificates.

I have intercepted the requests used when I log in to Vine with Twitter. I guess what my main question really should be is:

What method do I use to generate the Oauth_nonce and Oauth_signature values so that the OAuth Twitter login appears to be coming from Vine, as opposed to my application?
 
sm754 said:
The nonce (pffff) value is entirely random, but you may need to reverse engineer to obtain the consumer secret, so that you can generate the signature.
Click to expand...

This is your answer but I 'm not sure how much you want to publish an app using someone else 's credentials. You 're leaving yourself wide open to getting sued.
 
jazzc said:
This is your answer but I 'm not sure how much you want to publish an app using someone else 's credentials. You 're leaving yourself wide open to getting sued.
Click to expand...

Thanks for the response Jazz, I have been weighing the option. In terms of legality, how do most apps and websites that work through information found on other services go about doing things? Would I be better off accessing Vine by making users set emails and passwords and spoofing HTML requests from my application?

Also, in terms of legality, how about websites like vinescope.com, or twitter/instagram aggregators that are already set up? Are these legal? It seems as though it is a large grey area without much legal precedent.
 
Advertise on BHW
You must log in or register to reply here.
Sign up now!

Main Menu

Home Main Forum List Black Hat SEO White Hat SEO BHW Newbie Guide Blogging Black Hat Tools Social Media Downloads

Marketplace

Account Selling Content / Copywriting EBooks / Methods Hosting Misc Proxies For Sale SEO - Link building SEO - Packages Social Media Social Media - Panels Web Design More

Making Money

Affiliate Programs Hire a Freelancer IM Journeys Making Money Pay Per Click Site Flipping Want to Buy

BlackHat World

Dispute Resolution Forum Suggestions & Feedback Introductions Lounge
Back
Top