[jokull]

- Yes. The certificate chain will be embedded in the client in the next release to mitigate this.

- We haven’t stripped EXIF data from uploaded pictures, although this is on the roadmap. Sensitive fields from user profiles have been stripped from all endpoints. This was done before the news hit TechCrunch.

- We were never saving contact lists, just using to cross reference our user database. In the next update we will compare hashes, not plain text emails.

- No passwords are ever stored in plain text, but they are transmitted over SSL during signup and login. We are considering ways to further obfuscate this, but strengthening SSL goes a long way. Please contact me at jokull@plainvanilla.is if you have comments or questions about our password policy.

You are right about the Facebook access tokens. The tokens are sent over SSL and we are not breaking any usage guidelines from Facebook. Access tokens can of course be invalidated by the user, or by Facebook. We are open to further enhancing the security of our OAuth flow, but currently it has not been exposed to any security weaknesses.