> Sometime ago I released a statement about Audiogalaxy keeping usernames and > passwords in clear text in a file on the users system. Well, shortly after > that they fixed it, or so it seemed. I notified the good people over at > Audiogalaxy about this months ago and I see nothing has changed. > Audiogalaxy has started storing username and passwords in cookie. Audiogalaxy does not seem to have security as an immediate precedence... The old audioglaxy would contain the userid and password as part of the URL allowing any proxy/cache admin to get hold of the account information (this seems to have been fixed) And the non-cleartext entry in the ini file is encrypted very poorly (XOR with 255) So all you can reiterate is - use a different password for audiogalaxy than everything else (which should be normal!) dave
