[philiptellis] /bb|[^b]{2}/
Never stop Grokking

Wednesday, January 25, 2012

Password reset over HTTP -- Part 2

So it looks like I've been forgetting a lot of my passwords recently. After yesterday's issue with delicious submitting passwords in the clear, today I have a problem with livemocha.com.

As before, their login page is properly secured, but the password reset page is over HTTP:

This is the password reset page:

livemocha - password reset over http

And this is the URL the passwords are POSTed to, in clear text:

livemocha - password reset submitted over http

They also include third party code on their page, in this case it's a flash object from userplane.com, google analytics, and some JavaScript from pbc.com (alias for paybycash.com)

I've gotten in touch with them via their online form. Let's hope they respond.


Post a Comment