BeTwittered is a pretty popular and visually appealing iGoogle, etc gadget for Twitter.
I've been using it for a while until today I saw that it sends your Twitter username and password in clear text, without SSL, as a GET parameter, making it extremely easy to intercept.
Here's a sample request: http://betwittered.com/api/?_=1265242511260&req=verify_credentials&username=foo&password=bar
You've been warned.
The obvious solution is to switch to oAuth, of course, which should be easy enough to implement, considering all the oAuth libraries floating around for all the popular languages.
P.S. I also tweeted this to the BeTwittered creators, so that they can fix the problem.
