I had a look at Foursquare recently as a few of my colleagues were using it. One of the apps I downloaded was FourSquareX .
I was really surprised by a message on the logon screen saying that passwords are sent in clear text:
I figured this might just be for the API but decided to investigate whether this is also the case on the main site and it seems it is. Running LiveHTTPHeaders you can see the following when you log on to foursquare.com (I’ve put some asterisks in to remove user identifiable stuff):
F***231419577AFW=true&F*****1419575D1V=********%40gmail.com&password=4square
(this is the same on the ‘/mobile/’ site)
And when you change your account password (in this example to ‘nothidden’):
-----------------------------*****591617307847261632891267
Content-Disposition: form-data; name="****2314598660HU"
nothidden
-----------------------------*****591617307847261632891267
Content-Disposition: form-data; name="****231459867BB4"
nothidden
I’m really surprised at this as it means a packet sniffer could easily pick out your password. It also suggests a relaxed attitude towards sending and maybe even storing users data. I wouldn’t be surprised if the smartphone apps (such as the Android one) also send password details in clear text although I haven’t tested this hypothesis.
So, if I keep using it I will definitely use a unique password for Foursquare.com and not store any sensitive data in your account. Like my erm.. email, date of birth, where you’ve been for the past few days for example…
