@PhillS said:
Storing plaintext passwords is not inherently a security vulnerability, or a bad practise. All security is a trade-off between a completely open system and a switched off system, and where to draw the line depends on lots of factors, not just blindly following a list of "this is good security" and "this isn't". At least they don't have admin=true in the URL...I had to do some integration work with it recently, migrating the users over from it to a dedicated forums system. I logged in to the database console to have a quick look at the tables to see what I could do. I had a look at the users table -- and quickly realised that they were storing cleartext passwords. They weren't even doing MD5 encryption or anything. That's got to be the biggest WTF I've ever seen with this kind of system -- how can it ever be acceptable NOT to encrypt passwords?!
Also, you will never have a piece of software that is completely secure, perfectly bug-free and implementing all the features that all the users want. Being 'more secure' wont get them more users - what good is spending so much effort on security that they go out of business? It might be that they have a long list of security changes to make, and have to prioritise some bug fixes, some new features, some security fixes and some internal redesining for each new release.