Brian Breslin, of Twitbin, left a comment saying that Twitbin fixed the security flaw I previously pointed out. Cooool! 
Tag Archives: security
Twitbin Fails Basic Password Security
UPDATE: FIXED. See the comments below.
A couple weeks ago, I installed twitbin, a Firefox extension that loads twitter in a sidebar. But, I just happened to be checking my browser cookies, and I noticed that my twitter username and PASSWORD were stored in my browser cookies in plaintext! This is not even a session cookie -- it is persistent, with a one-year expiration.
Are you kidding me?! Twitbin -- uninstalled.
"[I]t is never appropriate for cookies to contain plaintext user names and passwords." [The World Wide Web Security FAQ]
WordPress and JavaScript Hijacking
I read this paper that Bruce Schneier linked to regarding JavaScript hijacking. Seems to me that WordPress plugin developers who piggyback on WordPress's builtin security features shouldn't have anything to worry about.
Judging from what little buzz there was, I think that's probably true, but I'm interested in others' thoughts.
Yikes! WordPress Hacked!
The WordPress crew have announced that the WordPress 2.1.1 download got cracked by an unnamed attacker who injected some code that would allow remote code execution. I'm glad I haven't upgraded!
Scheduled Tasks - Running Tasks Without A Password
For XP Pro: Go to Start/Administrative Tools/Local Security Policy/Security Settings/Local Policies/Security Options
Accounts: Limit local account use of blank passwords to console logon only. This is enabled by default, disable it.
For XP Home: (Keith Miller) Go to Start/Run/Regedit and navigate to this key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Value name: limitblankpassworduse, Type: REG_DWORD, Data: 0 (disabled) 1 (enabled)
For Home: Run Scheduled Task without a Password (Line 67)
http://www.kellys-korner-xp.com/xp_tweaks.htm
Source:
Windows XP FAQ