

Tell HN: Bitcasa is leaking your emails - aaroncray

I'm pretty sure users aren't aware this is happening. The CEO was alerted a few weeks ago about this issue:
https://twitter.com/aaroncray/status/253737089051541504/photo/1<p>click on any of the links in this search result:
https://twitter.com/search/realtime?q=l.bitcasa&#38;src=typd
======
rkjbnz
Im more worried why they are using my password in hidden form fields in the
clear on signup.

<http://dl.dropbox.com/u/12035718/after-signup-source.jpg>

It seems after the initial signup the server responds with with the
question/answer form and pre-populates hidden fields with my entered password
in the clear, which kind of make me wonder how my password is stored. Im
hoping my password isn't stored like this and they are just passing it back as
a response param, or perhaps the initial signup isn't hitting the server at
all??

------
lukebehnke
Thanks for the feedback. I work at Bitcasa and we have discussed internally.
We decided to remove it. Instead we will show the user's first name only, so
the share is still somewhat "personalized". The push will go this afternoon.
Thanks, Luke @ Bitcasa

------
bmelton
I think it makes sense that I would be able to see who invited me. If the link
is public, then one assumes that they aren't terribly concerned with their
privacy, or are weighing more heavily the incentives to their privacy.

Sure, it would be better if it just showed "f_name l_name" instead of email,
but I don't think this is a terribly egregious offense. Maybe that's just me
though.

