Surprise, most sites don't use SSL.<p>Surprise, the DISQUS login/registration to post a comment on TechCrunch's article about this "gaping security hole" also sends your password in plaintext.
I don't know why this is so surprising, 99% of the websites and apps I see don't use SSL for login, even HN doesn't. It's good that this issue is getting more attention, but to specifically call out Instagram for it makes it seem like what they're doing isn't the industry norm.<p>Looking at the TC comments it seems like a lot of people are confused by the difference between sending your password in cleartext, and storing your password in cleartext, although I wouldn't be surprised if they're storing your tumblr and foursquare credentials in the clear.
Everyone assumes that this is just a "oh they should add an s to <a href="http://" rel="nofollow">http://</a> issue.<p>If your iPhone application uses SSL, it becomes subject to US export restrictions on encryption.<p>Apple is the vendor of the apps, and is based in the US, so every app is subject to these regulations. Apple specifically asks if your application uses encryption when you submit it, and if so, some apps end up having to get U.S. government review and approval for sale outside the US before they can be added to the market.<p><a href="http://blog.theanimail.com/iphone-encryption-export-compliance-for-apps" rel="nofollow">http://blog.theanimail.com/iphone-encryption-export-complian...</a><p><a href="http://www.zetetic.net/blog/2009/08/03/mass-market-encryption-commodity-classification-for-iphone-applications-in-8-easy-steps/" rel="nofollow">http://www.zetetic.net/blog/2009/08/03/mass-market-encryptio...</a>
Seriously? Passwords sent in the clear?! Why are simple security measures so far down on people's list of things to implement when launching a new product/company?
"...one of the top stories on Hacker News over the weekend. In other words, the ‘bad guys’ already know about it, but consumers may not."<p>Never thought of this community as bad guys...