Felipe Alfaro Solana

Once again, it’s good to know that some Web sites are treating sensitive information, like user credentials, the way they deserve: in plain-text.

I saw the following error message from the VMware site while trying to log in:

Fatal error: Uncaught exception ‘Exception’ with message ‘SimpleXMLElement::__construct() expects parameter 1 to be string, object given’ in /www/html/beta_programs/methods.class.php:154 Stack trace: #0 /www/html/beta_programs/methods.class.php(154): SimpleXMLElement->__construct(Object(SOAP_Fault)) #1 /www/html/beta_programs/methods.class.php(61): methods->verifyStoreSoap(‘felipe_alfaro@m…’, ‘straussered’) #2 /www/html/beta_programs/request_process.php(88): methods->login(‘felipe_alfaro@…’, ‘my_password’) #3 {main} thrown in /www/html/beta_programs/methods.class.php on line 154

Isn’t this amazing that they are making SOAP requests passing user credentials in plain-text? At least, I have some confidence they are using SOAP over SSL