The housekeepers at our property use a web dashboard for a property management system to track which rooms need cleaning. The application is managed by a company in canada, and running on prem on an older server. I noticed the other day that when you log in, the username and password appear as plaintext in the URL. Searching stack overflow, my concerns were verified, and I learned that they used a GET request when they should have used POST.
I told the company my findings, and they did not seem concerned. They said this could be fixed by installing an SSL certificate. Im not convinced, and think that will just harden the security from the web server to he browser, but the credentials will still appear in the URL, and in the browser history right?
My gut says the SSL cert wont address the root cause of the issue, but Im not yet informed enough to say that definitively
Thanks!
