Reverse engineering the KakaoTalk app so I can build a Beeper Bridge
jusung.devThis is actually really interesting. Kakao doesn't work on Linux, so if this becomes stable I could see myself using it as a way to chat on Kakao
Super impressive dedication. Hope this guy figures it out eventually and blogs about it again. This was super interesting and pretty funny.
What’s wrong with the plaintext login if it’s https ? What’s the standard for that now ?
Password managers generally send a hash but for almost all services I would say plain text password is standard, I would definitely go with something like firebase or auth0 vs rolling your own auth in most normal situations. The poster is explicit about not knowing anything about security though so all good.
This makes sense, I guess encrypting it on top of TLS doesn’t meaningfully improve security. My concern is that you’re trusting the server to immediately salt and hash upon receipt (especially before storing), but if the client at least obfuscated the password, then in the worst case of a leak you have an email and an obfuscated password that can be used to login to the pwned service but nothing else. My specific threat model depends on the average person not adopting password manager hygiene and 2fa across their services, which is fairly common amongst my friends personally.
Salts are fixed - so if you salt with, i.e. the email address, any attacker will also do that. The key derivation strategy of password managers is already known. Especially in a browser, salting strategy cannot be hidden so it's a known factor. As sad as it is, for those without good hygiene, either they are at risk of compromise, or tie identity to a device and are at risk of losing access entirely. There is currently no magic solution.
been considering writing a msteams bridge for beeper, given that there isn't one and i've previously written a small irc <-> msteams bridge. i wonder if anyone other than myself would be interested...
I personally (thankfully) would not be bc I don't use teams at work or anywhere, But I am certain there are people that would be.
wow, what a cool project!