0

I know I might take a lot of flack for asking this basic question, but I hope you'll be patient with me. I was looking at a few websites and analyzing the payload when sending a POST request to login.

ON GitHub, for example, I can see both username and password when sending the request.

GitHub

Whereas, on ProtonMail, which is supposed to be a very secure mail, I can only see the username, but not the password, which is good obviously.

ProtonMail

So, my question is if I can see the password in the request, does it mean the site is vulnerable? Is one prone to a MITM attack if logging in using a free WiFi? Thanks for the clarification.

Robin Sage
  • 101
  • 2
  • Are you using https to access Github? Did you accept/ignore any certificate warnings when connecting to it? – user Feb 14 '22 at 19:29
  • I am using HTTPS. I have not had any certificate warnings. Also, I'm using Brave, which is technically more secure than other browsers. – Robin Sage Feb 14 '22 at 20:01
  • @user I've just tried it on Chrome and Firefox, and they all show the password as plain text. – Robin Sage Feb 14 '22 at 20:11
  • Since it's over HTTPS, that form data is encrypted. It looks like ProtonMail is sending json payloads, but most likely it is also sending plaintext in the secure connection. – user Feb 14 '22 at 20:17
  • That's what it looks like, and it's terrifying. Any idea why and how to fix it? – Robin Sage Feb 14 '22 at 20:18
  • Why is it terrifying? The data is encrypted already. You don't need to fix it. – user Feb 14 '22 at 20:23
  • I mean, it may also be sending plain text. Otherwise, it wouldn't show, right? I tried it on gmail, and nothing shows. I tried on another supposedly secure mail and the password shows. I'm confused. – Robin Sage Feb 14 '22 at 20:26
  • 1
    Does this answer your question? [Username and password stored under form data in Chrome Dev Tools](/questions/51186/), [Inspecting code elements in browser when logging in](/questions/185511/), [Passing plain text password over HTTPS](/questions/233759/). – Steffen Ullrich Feb 14 '22 at 20:32
  • @SteffenUllrich Yes it, does. Thank you! – Robin Sage Feb 14 '22 at 20:37

0 Answers0