I noticed that my user name and password is sent bare text to the remote server inside HTTP POST request. This is a sniffed packed from Wireshark
POST /***URL*** HTTP/1.1
Host: ***DNS NAME***
Content-Length: 463
site2pstoretoken=***TOKEN***&ssousername=***MY USER NAME***&password=***MY PASSWORD***
This web site doesn't use TSL and is exposed to outer internet network.
Q1: Is it possible to sniff incoming traffic to that remote server (and get all the passwords)?
Q2: I think that's a security hole, am I wrong?