

Using BeTwittered? Did you know it sends your Twitter u/p plaintext in the url? - archon810

BeTwittered is a pretty popular and visually appealing iGoogle, etc gadget for Twitter.<p>I've been using it for a while until today I saw that it sends your Twitter username and password in clear text, without SSL, as a GET parameter, making it extremely easy to intercept.<p>Here's a sample request: http://betwittered.com/api/?_=1265242511260&#38;req=verify_credentials&#38;username=foo&#38;password=bar<p>You've been warned.<p>The obvious solution is to switch to oAuth, of course, which should be easy enough to implement, considering all the oAuth libraries floating around for all the popular languages.<p>P.S. I also tweeted this to the BeTwittered creators, so that they can fix the problem.
======
djhomeless
Huh? oauth hello? It's not exactly rocket science to implement

------
archon810
In addition, it stores your Twitter username and password in unencrypted
cookies. /sigh

