Note the url in the location bar and in the.. my username and password are in plain text and it is over http. Is this a known issue?

http://www.levitated.org/images/wtf.jpg

Yes, it's a known item.

http://helpdesk.bluehost.com/kb/index.php?x=&mod_id=2&id=185

That answer is completely unrelated to the question.

Those values do not normally appear in the URL when you use the regular interface and so using the secure one instead isn't necessarily going to make any difference since the cause isn't that the connection is not secure.

I suggest contacting support via Live Chat and ask them to investigate.

I don't have that happening when I log in to cPanel using the form at the top of the BlueHost home page.

That answer is completely unrelated to the question.

Those values do not normally appear in the URL when you use the regular interface and so using the secure one instead isn't necessarily going to make any difference since the cause isn't that the connection is not secure.

I suggest contacting support via Live Chat and ask them to investigate.

I don't have that happening when I log in to cPanel using the form at the top of the BlueHost home page.

That answer is perfectly related to the question.

The question was "Is this a known issue?"

My response was "Yes."

Then I provided a way to avoid being in that situation if you're one of those people that's interested in learning.

If you go to bluehost.com and login using the top-right box, guess what, your username and password is right there in plain text until it redirects to the CPanel. This happens once and then you're fine until/unless the cookie expires or you clear your private data on your browser.

I've always used:

http://MYDOMAIN.com/securecontrolpanel

You will have to add the security certificate and then you will be asked for your username and password.

The question was "Is this a known issue?"

My response was "Yes."


But the problem is only happening for that one person - yes you provided a alternative to see if that has the same problem but since others don't have that problem and the link you used doesn't even mention that problem then how can you say it is a known issue. That only one person has mentioned the problem probably means that it is NOT a known issue. I certainly can't recreate the problem and so I suspect that only a few people are affected and that it has something to do with how they have their browser configured rather than anything on BlueHost's end. Until someone actually tells BlueHost about the problem and provides them with enough information to work out why it is happening for a small number of people then they will probably be completely unaware of the problem.

Also, since there is no indication as to what is causing that problem, how do you know that the same bug will not affect secure access as is affecting regular access for the one person who has so far found that they have that bug. Their browser may be converting all form transmissions to using the querystring and their user and password may still be appearing there when they try the secure version of the access (hopefully the encrypted versions but since they have a bug in how their browser is working - who knows?).

I suppose you don't remember this then http://www.bluehostforum.com/showthread.php?t=11760

I suppose you don't remember this then http://www.bluehostforum.com/showthread.php?t=11760

So that makes two people whose browser has had a bug (or whose system was infected with a virus or trojan) that resulted in the entries displaying in the URL. Since the problem isn't on BlueHost's end I doubt that whoever the support person who responded to that query even remembers it and certainly no one else at BlueHost would.

The best solution is to make sure your antivirus and antispyware software is up to date and run a full scan of your computer - after removing anything it finds then try logging in again to see if that fixed the problem.
You also need to make sure your browser has all the latest patches installed and if you use plugins/extensions in your browser you would also want to try turning them all off to see if the problem disappears when you do that (in which case you can then track down which of the plugins/extensions is the cause of the problem).
That should identify the virus/trojan/browser bug/plugin/extension causing the problem and allow you to fix it.

Nope, the problem's on bluehost's end.

I might explain how if you really want after I get back from religulous.

If it is on BlueHost's end then how is it that it only affects a small percentage of accounts (or does that mean that there is a problem with one particular server).

Those values definitely DO NOT appear in the URL when I use the form at the top right of the BlueHost home page.

Alright, here's the deal.

Bluehost has some irritating redirection voodoo going on that tries to make sure "www" is prefixed to their domain (see http://bluehost.com). While normally that's just pointless, it's actually harmful in this situation.

The script that processes the login form is located at http://bluehost.com/cgi-bin/cplogin, if you go there you'll notice it rewrites the URL to include the W's.

Now this is where it gets interesting. Let's say you go to http://bluehost.com/index.html. You are not redirected.

The login form submits data to "/cgi-bin/cplogin", and as I mentioned earlier, the URL is rewritten to include the W's if they aren't there. When this redirect happens the POST'd values that were previously hidden are now tacked onto the end as a query string; your username and password are now visible and in the browser's history.

The simple solution for Bluehost would be to get rid of the stupid redirect.

So the simple solution for all BlueHost users is to use the form on www.bluehost.com instead of the of the form on bluehost.com. That then solves the problem without BlueHost having to change anything (I do agree that they should fix it but since there is a work-around it isn't super urgent).