This was fixed in the recent security update (IPB.Blog 1.2.3) after an internal audit. http://forums.invisionpower.com/index.php?showtopic=214248&view=getnewpost