I've raised several BOINC web server security concerns:
http://lists.ssl.berkeley.edu/pipermail/boinc_dev/2016-September/thread.html
http://lists.ssl.berkeley.edu/mailman/private/boinc_projects/2016-September/011834.html

TL;DR: I need to add authentication key reset functionality, need to significantly improve the password hashing process (currently md5, salted with email - abysmal!) and I need to provide email verification before providing access to the user's account.

I'll be adding secure chat client fields too, but they will not be exportable to prevent bot abuse: pgp, retroshare, tox, echo, ring and wickr).