Thanks for the confirmation -- I was afraid of that. With the things that have happened in the past with exchanges and such, I've become extremely wary of putting funds on a site where they could potentially get access to the address. Is there anything in place to keep this from happening with Counterparty?
My understanding of the way that Counterwallet works is that the information is never really stored "on the site". The wallet is generated on-the-fly when you input the 12-word passcode.
Question for Counterparty devs: Is the passcode sent to the server(s) or is it all kept in the user's browser and run through client-side scripting? If someone compromised the webserver, is there any chance that they could see the passcode "in the clear" in the logs, or as _POST or _GET variables within the webserver software itself?
It's not sent to the server, only in browser memory client side and wiped upon session exit.