New Security Update
Dear Twitbin users,
It came to our attention yesterday that we had made a mistake in the way we were writing the cookies to your computers. Turns out since we were trying to do it all via Javascript, we didn’t encrypt the cookies the way we should have. We have since rectified the issue and released a new version patching this and a couple other bugs we found along the way. Now your cookies will be encrypted so as to protect your username/passwords.
For those of you wondering, the old version left your cookies open to reading if someone ever managed to access your local computer’s cookie folder. Since we don’t store any of your personal data, it meant that your own computer would have to be compromised for this to affect your security. However, this is still no excuse for us having overlooked this before (we just didn’t think of it), and for that we apologize.
So to make sure you are using the latest version, please clear your cache and cookies and you should have your cookies replaced next time you log back in.
Thank you for your patience and using twitbin.
Brian Breslin
CEO infinimedia
©2007
October 24th, 2007 at 7:51 pm
Thanks for making Twitbin and thanks for the security update.
October 26th, 2007 at 9:37 pm
Brian - Thanks for the quick fix and the great tool that is twitbin. Note, however, that the security issue with plaintext passwords in cookies extends to sending those plaintext passwords in HTTP requests, too — compromise of the user’s computer is not the only concern. So if those usernames and passwords are being decrypted and then sent via HTTP and not HTTPS, credentials are still going over the wire (or air) in plaintext.