Back in January, at Arisia, I was hanging with someone who is a serious geek, and whose expertise I have no reason to question. He told me there was a serious security problem with WordPress, which caused WP to divulge private cookie data to anyone who knew how to tickle its API. "You mean WordPress, you install yourself on your own server?" No, he clarified, he was talking about WordPress.com, the free hosted blogs site, and the problem would not be fixed because it was something WP was doing deliberately to indulge its real customers -- advertisers -- even though it involved divulging your cookies from completely unrelated third-party sites to, well, anyone really. Someone else who was also apparently a serious geek (don't know the guy, but he'd been keeping up in a security conversation and seemed sane thus far) chimed in to confirm this story. Both stressed that one should have nothing to do with hosted WP unless one used Incognitio mode or your browser's equivalent, to deny WP access to your cookies to other sites, or take similar measures.
I was very dubious about this story (I mean, I didn't even think it was possible for WP to get at other hosts' cookies?) but the source it was coming to me from was not given to nonsense in my experience.
So I've been trying to find evidence of this, but searching for security problems in WP.com is impossible in the flood of hits about problems in the WP software.
Does anybody know anything about this? Able to confirm or deny? Able to point me at reputable journalism about this problem? Or even credible rumor?