United’s Insecure Login Page

One of United Airlines login pages potentially sends login credentials in plaintext. www.united.com/web/en-US/apps/account/account.aspx (login page accessed by clicking “Sign In” in the upper right of the homepage)can be accessed over HTTP or HTTPS and the login form sends (POST) its contents to signin.aspx over whichever type of connection account.aspx was served from.

For a long time I didn’t think realize this was a problem, because even when www.united.com/web/en-US/Default.aspx is served over HTTP, it submits usernames and passwords over HTTPS.

It appears all United Airlines pages support HTTPS, so I recommend starting your use of United.com by browsing to https://www.united.com/.