Unencrypted Login Sessions

A login form was discovered that sends the login credentials unencrypted to the server.

What can happen?

If an attacker is able to intercept the request they are able to see the credentials and by doing so, they can use them at a later stage to login. An attacker can intercept the request in several situations:

  • Another device on the same network as the visitor is using is hacked

  • The attacker is on the same network as the visitor, e.g. the visitor is using an open network at public space

  • The internet service provider has decided to collect this data (a real threat in certain countries)


Implement HTTPS and use that when the form is sending over sensitive credentials. The best option would of course be to always use HTTPS, but if that is not possible yet in your situation, at least use it for login.