Twitbin Fails Basic Password Security

Twitter Updates

@chr1sw3ndt I don't plan on ever getting anything Rock Band or Guitar Hero. Seen it. Tried it. Too stupid. Now get off my lawn. in reply to chr1sw3ndt 3 weeks ago
I don't know if I can say why, but I strongly prefer Duracell to Energizer. What's up with that? 3 weeks ago
Ben just discovered The Beatles. Unfortunately, the song he discovered is "Ob-La-Di, Ob-La-Da." He's only 16 mos. old, so I'll forgive him. 3 weeks ago
French court demonstrates the meaning of checks and balances: http://bit.ly/gLxo9 3 weeks ago
@davewiner Barry Manilow in reply to davewiner 3 weeks ago
More updates...

Twitbin Fails Basic Password Security

23 October 2007 by Dan

UPDATE: FIXED. See the comments below.

A couple weeks ago, I installed twitbin, a Firefox extension that loads twitter in a sidebar. But, I just happened to be checking my browser cookies, and I noticed that my twitter username and PASSWORD were stored in my browser cookies in plaintext! This is not even a session cookie -- it is persistent, with a one-year expiration.

Are you kidding me?! Twitbin -- uninstalled.

"[I]t is never appropriate for cookies to contain plaintext user names and passwords." [The World Wide Web Security FAQ]

Tags: firefox, security, twitter |

2 comments to “Twitbin Fails Basic Password Security”

Brian Breslin:
26 October 2007, on 10:25 am
Hey just to let you know, we fixed this issue and completely redid the way your cookies are set. They are now encrypted, and no longer plaintext.
Dan:
26 October 2007, on 1:33 pm
Thanks, Brian!

Yabfog

Pages

Subscribe

Twitter Updates

Archives

Meta

Twitbin Fails Basic Password Security

2 comments to “Twitbin Fails Basic Password Security”