Detectify
Knowledge Base

Back to Knowledge Base

Support Center

Unencrypted Login Sessions

Last Updated: Apr 21, 2017 08:56PM CEST

A login form was discovered that sends the login credentials unencrypted to the server.

What can happen?

If an attacker is able to intercept the request they are able to see the credentials and by doing so, they can use them at a later stage to login. An attacker can intercept the request in several situations:

  • Another device on the same network as the visitor is using is hacked

  • The attacker is on the same network as the visitor, e.g. the visitor is using an open network at public space

  • The internet service provider has decided to collect this data (a real threat in certain countries)

Remediation

Implement HTTPS and use that when the form is sending over sensitive credentials. The best option would of course be to always use HTTPS, but if that is not possible yet in your situation, at least use it for login.

Resources

support@detectify.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete