The discovery, reporting and effect of a security flaw.

The accident

When I accidentally logged in into the control panel for one of my service providers I realized there was something really wrong.
By accidentally i mean without entering username or password, and no, i don?t store cookies or passwords in my browser. Bu I do store history.

The issue

Apparently I had typed the beginning of the address and choosed on random an address looking like this:

http://example.com/cgi-bin/logmein?data=dXNyP… …29yZAo=

My first thought was it some kind of token still active but when I took a closer look at it the issue became worse. The data string does look like a base64 encoded string, and in fact it was, decoding it gives.

base64 -d dXNyPW1? ?RwYXNzd29yZAo=
usr=mysuperuser&pwd=supersecretpassword

The conclusion

On every computer that you have logged into this service the username and password can be recovered in clear text from the browsers history.

Since the login form is not on the same server as the control panel I guess the login information can?t be saved in cookies.

The handling

The issue was reported in the middle of December 2008. Today, a mounth later, I got the final response informing me that the issue has been resolved. As it looks today the new implementations seems to have fixed the issue as far as I can tell from the user experience.

Now the interesting part here is whether it?s a closed issue or not.
Will they inform their users that their password can be recovered from the history and recommend them to change passwords?