Package: twidge Version: 0.99.4 Severity: important Twidge interacts with Twitter using an external curl process - however, as it passes the HTTP authentication information on the command line this is easily read by anyone via "ps aux":
$ ps aux | grep twidge lamby 27373 0.0 0.0 2684 132 ttyp3 R+ 21:18 0:00 curl -A twidge v1.0.0; Haskell; GHC -s -S -L -y 60 -Y 1 --retry 2 -f --user lolamby:PASSWORD https://twitter.com/statuses/friends_timeline.xml?page=1 ^^^^^^^^ I believe it is possible to avoid this by executing the equivalent of: $ echo "user = lolamby:PASSWORD" | curl -K - [...] Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org `-
signature.asc
Description: PGP signature
