Yabfog

Brian Breslin, of Twitbin, left a comment saying that Twitbin fixed the security flaw I previously pointed out. Cooool!

UPDATE: FIXED. See the comments below.

A couple weeks ago, I installed twitbin, a Firefox extension that loads twitter in a sidebar. But, I just happened to be checking my browser cookies, and I noticed that my twitter username and PASSWORD were stored in my browser cookies in plaintext! This is not even a session cookie -- it is persistent, with a one-year expiration.

Are you kidding me?! Twitbin -- uninstalled.

"[I]t is never appropriate for cookies to contain plaintext user names and passwords." [The World Wide Web Security FAQ]

I read this paper that Bruce Schneier linked to regarding JavaScript hijacking. Seems to me that WordPress plugin developers who piggyback on WordPress's builtin security features shouldn't have anything to worry about.

Judging from what little buzz there was, I think that's probably true, but I'm interested in others' thoughts.

The WordPress crew have announced that the WordPress 2.1.1 download got cracked by an unnamed attacker who injected some code that would allow remote code execution. I'm glad I haven't upgraded!

For XP Pro: Go to Start/Administrative Tools/Local Security Policy/Security Settings/Local Policies/Security Options
Accounts: Limit local account use of blank passwords to console logon only. This is enabled by default, disable it.

For XP Home: (Keith Miller) Go to Start/Run/Regedit and navigate to this key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Value name: limitblankpassworduse, Type: REG_DWORD, Data: 0 (disabled) 1 (enabled)

For Home: Run Scheduled Task without a Password (Line 67)
http://www.kellys-korner-xp.com/xp_tweaks.htm

Source:
Windows XP FAQ