ReadItLater on the iPhone and iPad not only stores the user’s password in plaintext, it also shows it during the process of creating a bookmarklet.
I filed this bug at May 23 (!) into the developer(s) bugtracker and Nate promised to fix it. The issue is still marked as „open“. To me, this time is way too long now and I decided to publish it.
It would be great if anybody can second my findings and / or check if this bug is present on other platforms.
Here is how it works:
- Open ReadItLater on your iPhone or iPad
- Tab the (+)-Button (Add)
- Tap „Add Read Later functionality to your web browser“
- Tap „Install the bookmarklet“
- This opens Safari with a predefined URL.
- As soon as you see the Safari-window poping up, immediately hit cancel to prevent the page from further loading.
- You now see the your username and password in plaintext (URL-encoded) as parameters inside the URL (u=_user_&p=_password_):
This is unacceptable in three different ways:
- The storage of a plain-text-password is a very bad practice, why not use a hash to identify the user?
- The public exhibition of the username and password to anyone with access to the device is even worse.
- The developers knowledge about this bug and the time it took since I filed the bug is the worst thing. It can’t be so hard to change this.
This article is a cross-post from Google+.