SOAP, user credentials and plain-text

Once again, it’s good to know that some Web sites are treating sensitive information, like user credentials, the way they deserve: in plain-text.

I saw the following error message from the VMware site while trying to log in:

Fatal error: Uncaught exception ‘Exception’ with message ‘SimpleXMLElement::__construct() expects parameter 1 to be string, object given’ in /www/html/beta_programs/methods.class.php:154 Stack trace: #0 /www/html/beta_programs/methods.class.php(154): SimpleXMLElement->__construct(Object(SOAP_Fault)) #1 /www/html/beta_programs/methods.class.php(61): methods->verifyStoreSoap(‘felipe_alfaro@m…’, ‘straussered’) #2 /www/html/beta_programs/request_process.php(88): methods->login(‘felipe_alfaro@…’, ‘my_password’) #3 {main} thrown in /www/html/beta_programs/methods.class.php on line 154

Isn’t this amazing that they are making SOAP requests passing user credentials in plain-text? At least, I have some confidence they are using SOAP over SSL 😉

3 thoughts on “SOAP, user credentials and plain-text

  1. I also like the fact that they do in fact show the stack. display_errors is available since ages…

    (And, don’t you think it’s comforting to see that their app runs in beta_programs? 😉 )


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s