but how do you know that it exists as a shared string?
of course if you know that then all is lost, but gaining that knowledge has nothing to do with whether secure and non-secured strings are shared or not. at least i can't see how either way here could make any difference.
in a multiuser environment it must not be possible to detect that a string is secured. if i write random strings out with %O and then i find some that are not printed then i can guess passwords that way. i don't even need access to pike but just a "helpful" debugging api that will use "%O" somewhere to print my own input (in a webinterface for example) could allow me to do some password guessing if this %O attack works.
watching reference counts could also be a problem. if the count rises more than i'd expect then i could guess that someone else is using that string. it won't tell me if it is used as a password. though. i guess in a multiuser environment the access to reference counters should generally be restricted or turned off. as it would be detectable either way because any secured string will at some point be non-secured (when it enters the system before it is secured)
i am not sure if any of these are real problems and if they are possible/worth to fix, but if they actually are problems at least there should be a big warning assotiated with using them.
greetings, martin.