JavaScript, Mozilla Firefox, Netscape Navigator, Pownce, Safari, Web 2.0, Web Applications

Pownce has a big security problem

Kevin Rose’s latest project, Pownce, has a glaring security problem on its front page. The JavaScript that Pownce uses in its login form can reveal your password in plain text on the screen. Here are the steps to reproduce the problem in Firefox:

  1. Login to Pownce via http://www.pownce.com/. Allow Firefox to save your login information for next time, and then log out.

    Pownce

  2. Navigate to http://www.pownce.com/ and type the first part of your username in the “Enter username…” box. Firefox will supply all of the matching usernames it remembers for this site. (So far, so good.)

    Using Firefox

  3. Select your username and press return to have the browser autofill the rest of your information. Oh look, there’s your Pownce password in plain view! I hope no one in the room was watching you login…

    Hey look, it

The method that Pownce is using to show the “Enter password…” prompt in the password field is the reason for this malfunction; browsers force all text in password fields to be hidden with asterisks, so if you want to show normal text in a password field like Pownce has chosen to, you have to do so in a non-standard way.

This bug affects Firefox and Netscape users who have JavaScript enabled, but it doesn’t affect Safari users.

Standard
Pownce, Twitter, Web 2.0

Kevin Rose’s new project: Pownce

Pownce Digg founder Kevin Rose’s “IM competitor” startup that was hyped on Digg two months ago has been introduced, and it appears to be a Twitter clone with support for posting files. It’s named Pownce, and it calls itself “a way to send messages, files, links, and events to your friends.”

It’s invite-only right now (I’m on the waiting list), so there’s not much information available about the app. Leah Culver (Pownce developer) has blogged about Pownce here, but doesn’t really add any information not on Pownce’s about page. (Viewing her Pownce profile page does give some insight into how the service may work.) As is standard operating procedure with Web 2.0 startups, there’s a Pownce blog (currently content-less save for the requisite Hello World post), which I’m sure will be the best place to watch for updates on Pownce’s progress.

It will be interesting to see what becomes of this site; it’s got a big advantage over any random startup since it will undoubtedly be splashed all over Digg due to Kevin’s involvement, but we’ll see if it’s able to make the jump from being popular with Digg fanboys to being popular with the average Web user.

Standard