Posted by: Diabolic Preacher | September 17, 2008

Read It Later….shows password in plain text….sucks now!

Read It Later? No thank you. I don’t need such an insecure extension

Read It Later is a (who knows what type) award winning firefox extension that’s supposed to make the process of bookmarking pages for later reading as quick as a click of a tick(mark) icon in the address bar. Like foxmarks, it also lets you sync your list with other computers. so you know, usual scenario would be like find a bunch of cool links to read up on at workplace but you certainly don’t have the time to get into them. You sync the list with your home computer and you can continue there. So where lies the problem?

The extension is simply awesome in what it does, but for one serious blunder that anyone concerned with a bit of security and privacy would be really worked up about. As I installed it on the computer assigned to me at the workplace (and this ain’t a machine that’s exclusively mine, the browser can be accessed by anyone and everyone in the organization), I checked out the RSS Sync feature which being the first time led into the Options dialog to adjust the RSS/Syncing settings. The feed password is shown in plain text. In bold!!. What’s worse is that if you turn off syncing, the section showing the password is greyed out but the password is still easily readable. This extension isn’t supposed to be a social “read it later” list. Its for one person’s purpose. There isn’t a way to not save the password and have a ‘ask for password’ prompt. This particularly I find is the case with most extensions in firefox that connect to some password protected account, though I haven’t seen others that just display your password out there for all to see. Is XUL/chrome/Gecko, so retarded that there isn’t even a password (asterisks only) field that can be put in extensions?

I changed the password online and it started showing up in the extension in plain text and that was it. I got rid of the extension before anything else. Now I gotta try and see if re-installing creates a new list feed or the same feed with my password.

Advertisements

Responses

  1. Passwords

    Hey pintooo

    This is Nate, the developer for Read It Later.

    I completely understand your concern about plaintext passwords and this issue is being addressed in the next version which is due out in a few weeks.

    The reason the password is shown in plaintext is because users need to be able to know what it is (since it’s randomly generated) in order to sync other computers together. This was considered a low threat because if someone malicious got onto your computer, they could modify your list simply by using the extension. But now with the recently added ability to modify your password, it becomes a little more dangerous.

    Though it’s not 100% finalized (suggestions are welcome), it’s likely this will be handled by allowing you to hide the password by supplying an email address so that if you forget it you are still able to retrieve it.

    If you have any interest in joining the beta team, I think you could definitely offer some feedback on the new version before it comes out.

    If you have any other questions/concerns, please drop me a line at ril@ideashower.com

    Thanks!

    Nate

    • Re: Passwords

      Hi Nate,
      Thanks for going through my post and you gotta know how it feels when the whole product is worthy of all praises except that one single annoyance that just turns the 🙂 into 😦 Its like ‘damn! if only this wasn’t the issue I’d straightaway recommend this extension to all my friends’.

      I don’t mind sharing my list for majority of the urls that i check out and the long cut way i currently use is to tag bookmarks using simpy.com as ‘pending’. long cut for sure, but it lets me have a private set of urls too. what read it later offers is definitely much more tailored to what i’m really looking for, except the threateningly revealing password.

      //quote
      they could modify your list simply by using the extension.
      //unquote

      but isn’t that because the default list feed’s randomly generated or manually manipulated password is saved in the extension itself? Do you even transmit the passwords in plaintext?

      It is definitely not a wise thing to show off passwords whether random generated or manually and a person using firefox tells something about his/her concern for having his identity and data secure.
      Hiding is ok. Even ‘prompt once per session’ for password is ok. But please don’t store it in plain text in some ini or xml file.

      One more annoyance which I also have with some other extensions is…why did I see the options dialog just once when I’d to setup the sync feed first time and then every time I had to dig into Add-ons and then get into the options of read it later extension? add-ons doesn’t even have a keyboard shortcut and without your options dialog I can’t even check if there is a keyboard shortcut to invoke RIL options either. Your toolbar icon itself could have a link to the options dialog.

      Best wishes for future-proof future versions. 🙂


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: