don't forget they had terrible security even for the time. In their client you could do text customizations like bold, italic, etc. and they did it by just sending HTML over the wire.
This meant that if you used a custom client (which they didn't allow), you could just send HTML which got evaluated so you could force users to download stuff or send HTML forms or iframes
When this became semi public (in hacker circles) they went after the people talking about it with legal action instead of fixing their stuff
Eww, I wasn't even aware of that. I thought the filename UI issue was actually kind of a subtle fail and I was proud to find it, but that one is terrible.
This meant that if you used a custom client (which they didn't allow), you could just send HTML which got evaluated so you could force users to download stuff or send HTML forms or iframes
When this became semi public (in hacker circles) they went after the people talking about it with legal action instead of fixing their stuff