SOAP, user credentials and plain-text
Once again, it’s good to know that some Web sites are treating sensitive information, like user credentials, the way they deserve: in plain-text.
I saw the following error message from the VMware site while trying to log in:
Fatal error: Uncaught exception ‘Exception’ with message ‘SimpleXMLElement::__construct() expects parameter 1 to be string, object given’ in /www/html/beta_programs/methods.class.php:154 Stack trace: #0 /www/html/beta_programs/methods.class.php(154): SimpleXMLElement->__construct(Object(SOAP_Fault)) #1 /www/html/beta_programs/methods.class.php(61): methods->verifyStoreSoap(’felipe_alfaro@m…’, ’straussered’) #2 /www/html/beta_programs/request_process.php(88): methods->login(’felipe_alfaro@…’, ‘my_password’) #3 {main} thrown in /www/html/beta_programs/methods.class.php on line 154
Isn’t this amazing that they are making SOAP requests passing user credentials in plain-text? At least, I have some confidence they are using SOAP over SSL 
I also like the fact that they do in fact show the stack. display_errors is available since ages…
(And, don’t you think it’s comforting to see that their app runs in beta_programs?
)
’straussered’?
andreas said this on August 21st, 2007 at 11:02