« New York Times Home Page RSS Feed Driving Me Nuts
Twitbin Fixes Security Flaw »

Twitbin Fails Basic Password Security

UPDATE: FIXED. See the comments below.

A couple weeks ago, I installed twitbin, a Firefox extension that loads twitter in a sidebar. But, I just happened to be checking my browser cookies, and I noticed that my twitter username and PASSWORD were stored in my browser cookies in plaintext! This is not even a session cookie -- it is persistent, with a one-year expiration.

Are you kidding me?! Twitbin -- uninstalled.

"[I]t is never appropriate for cookies to contain plaintext user names and passwords." [The World Wide Web Security FAQ]

This entry was posted on Tuesday, October 23rd, 2007 at 9:35 am and is tagged: , , . You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

2 Responses to “Twitbin Fails Basic Password Security”

  1. Brian Breslin Says:
    October 26th, 2007 at 10:25 am

    Hey just to let you know, we fixed this issue and completely redid the way your cookies are set. They are now encrypted, and no longer plaintext.

  2. Dan Says:
    October 26th, 2007 at 1:33 pm

    Thanks, Brian! :-)