Karmendra showed how applications that did not issue an HTTP redirect during authentication could be persuaded to reveal the previous user's password, even after the user had logged out of the application. It just required the right sequence of "Back" and "Refresh" to catch the password. And it was stunningly simple.
We did an informal poll to see how frequently we come across this vulnerability in our tests today. They have dropped from 50% of apps a year ago to less than 10% now. Sure, informal polls are unscientific, but the numbers suggest that more applications that get tested for security address the problem today. That's good news.
Today Karmendra, geek, fellow-blogger, museum-enthusiast turns entrepreneur. He joins his friend Seemanta to found SecurEyes. Best wishes from humsab@paladion, KK, Seemanta!