You can test it, if you are having any blog on wordpress.com like www.raxitsheth.wordpress.com or you are having blog on your site which is powered by wordpress.
Create a post, password protect it. Take any cookie viewer/proxy/cookie-editor, and view your password in cleartext in your cookie !!! Can't believe.... check this snap ....
So What ???
1. storing password (in cleartext)(or any piece of info which someone can misuse) at client side is just dumb idea !
2. Even this cookie is only readable by your wordpress.com domain/subdomain/blog-address, if any bug in wordpress like XSS can exploit this.
3. Forgot the 2, if you are in cybercafe/office/behind proxy... you admin can read the password of password protected blog. !!!
Note 1 : wordpress.org is already knowing the issue [since 2 year ???] and ticket is re-opened here
http://trac.wordpress.org/ticket/3316
Note 2: If you are in/ around Mumbai, you can catch me during OWASP Meet, venue/date will be declared soon.
Interesting ???? Share your comment here....
-Raxit Sheth
www.Mykavita.com 1st birthday !
2 comments:
Dear Author raxitsheth.blogspot.com !
At all personal messages send today?
This is wonderful blog. I love it.
Post a Comment