Jonathan Kamens 86 47
I just discovered that "Employer on the Go", a website I am required to use by my employer for downloading pay stubs and entering time-off requests, implements "remember me" by saving my username and password in a plaintext browser cookie.
yhgtbfkmwts
It gets worse. They use "&" in the cookie as the separator between key/value pairs, and it's not quoted in values, so if there's a "&" in your password then they truncate it and don't pre-fill it properly on the login page.
#infosec #fail #smdh
Aug 30, 2025 at 2:55pmWeb
Show threadRaven667Aug 30, 2025
@jik shit, Basic Auth would be better than that, at least that gets base64 encoded
Show threadrwhitworthAug 30, 2025

@jik Apex HCM, who seems to own Employer on the Go, links their Careers page to Hire on the Go. Except, that HotG page is ‘closed’.

This is a bad look all around.

Show threadreggie seidmanAug 31, 2025
Nimbus monitoring software, back around 15 years ago, would take your credentials and open a temporary window in your browser to effect the authentication, and the password was both in plaintext in the URL and did not escape ampersands.