Foxmarks Insecurities
Newsflash! Foxmarks bookmark synchronizer transmits your username and password in cleartext.
I had LiveHTTP Headers open while trying to figure out a post error to a server at work when foxmarks went ahead and sync'd up. I noticed the extra header info and was mildly surprised to find that it had sent my username and password in cleartext over an insecure connection, like so, http://username:password@sync.foxcloud.com/home/username/foxmarks.xml
So whats this mean for us? Well, anyone sniffing your traffic (can you say "insecure wireless network"?) will get instant access to your account. There are no real solutions but you can do a few things to limit the damage.
- Don't use that password on any other site or service.
- Don't auto synchronize on a wireless connection, wait for a hardline if you can.
- Don't put sensitive links or information into foxmarks