2025-07-02 12:00:11 by Cisco.com

Additional Post Contributors: Mindy Schlueter On June 11, the Cisco Live San Diego SOC received a Cisco XDR Incident triggered by two Cisco Secure Firewall events. Both pointed to a Zeek detection: SNIFFPASS::HTTP_POST_Password_Seen. This is a clear sign that credentials were transmitted in unencrypted HTTP traffic. This detection is a red flag: Usernames and passwords are being sent in plaintext, making them easy targets for anyone monitoring the network. This kind of risky behavior is often caused by: Web apps using HTTP instead of HTTPS Users logging into misconfigured or outdated websites Legacy or IoT devices still using insecure protocols Investigation Steps Network Context — The SOC quickly identified the source: an endpoint on the participant’s Wi-Fi network. Deep Dive with Packet Capture — Pivoting from Cisco XDR to Endace, analysts reviewed the full packet capture (PCAP). The destination? http://app[.]xxxxxxx[.]com[.]br, a backend endpoint used by a mobile app. App Identification — The HTTP headers included X-Requested-With: com.xxxx.sell. This pointed to a Brazilian property management app available on the Google Play Store. Scope of Exposure — Firewall logs revealed three endpoints on the Wi-Fi network had connected to this insecure app. The PCAP confirmed usernames and passwords were exposed in cleartext. Takeaway and Response The core issue: A publicly available mobile app (on both Android and iOS) uses unencrypted HTTP to transmit credentials. While the traffic wasn’t outright malicious, it posed a serious privacy risk. Rather than block the traffic, the SOC opted to educate the users on the dangers of using insecure apps — reinforcing the importance of encrypted communications. Want to learn more about what we saw at Cisco Live San Diego 2025? check out our main blog post — Cisco Live San Diego 2025 SOC — and the rest of our Cisco Live SOC content. We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media. Cisco Security Social Media LinkedInFacebookInstagramX Share: Authors Aditya Sankar Technical Marketing Engineer Security Business Group Cisco Cybersecurity Viewpoints Where security insights and innovation meet. Read the e-book, see the video, dive into the infographic and more... Why Cisco Security? Explore our Products & Services