I was playing with magento and I just realized that once your store is up anyone can recover your encryption key in plain text by just adding
to the end of your store’s domain name.
This is critical and need to be fixed as soon as possible.
For instance you can retrieve Magento’s demo store encryption key by just launching the following link in your browser:
I would like to hear from a magento team member about this is an issue.
I would rather have this key retrievable after login or simply not retrievable online but only via email or so. Not sure which one is best…