Insecure usernames and passwords on Netvibes

While nosing around Netvibes the other day I noticed that its email widget doesn’t use HTTPS to send usernames and passwords back to the server. It is right there in the HTTP stream in clear text.

Seems a bit insecure no? You might want to avoid any sensitive data like your GMail login on Netvibes.

(I emailed the problem to Netvibes last week and they replied that they are working on an HTTPS solution but it isn’t ready yet.)

This entry was posted on Monday, November 5th, 2007 at 2:20 pm and is filed under Post. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Viewing 1 Comment

dara 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Well spotted. This is crazy.

For something crazier, see Wordpress.com, a very popular blog site, with plain text login data sent to an http endpoint from their https page !

Madness.

Worse now imo, folks are using their wordpress.com blog address as an OpenID.

Kinda mental to think that if you make the mistake of posting about, say your ski holiday in St. Anton from a Café while your there, somebody could sniff your password, and have access to all the on-line services you use OpenId with.

I have emailed Wordpress, and posted on my test blog there, they have not responded, and today it's still not fixed !

reply edit reblog flag record video comment

Trackbacks

(Trackback URL)

Life is grand