Additional Post Contributors: Mindy Schlueter
On June 11, the Cisco Live San Diego SOC received a Cisco XDR Incident triggered by two Cisco Secure Firewall events.
Both pointed to a Zeek detection: SNIFFPASS::HTTP_POST_Password_Seen. This is a clear sign that credentials were transmitted in unencrypted HTTP traffic.
This detection is a red flag: Usernames and passwords are being sent in plaintext, making them easy targets for anyone monitoring the network. This kind of risky behavior is often caused by:
- Web apps using HTTP instead of HTTPS
- Users logging into misconfigured or outdated websites
- Legacy or IoT devices still using insecure protocols
Investigation Steps
- Network Context — The SOC quickly identified the source: an endpoint on the participant’s Wi-Fi network.
- Deep Dive with Packet Capture — Pivoting from Cisco XDR to Endace, analysts reviewed the full packet capture (PCAP). The destination? http://app[.]xxxxxxx[.]com[.]br, a backend endpoint used by a mobile app.
- App Identification — The HTTP headers included X-Requested-With: com.xxxx.sell. This pointed to a Brazilian property management app available on the Google Play Store.
- Scope of Exposure — Firewall logs revealed three endpoints on the Wi-Fi network had connected to this insecure app. The PCAP confirmed usernames and passwords were exposed in cleartext.
Takeaway and Response
The core issue: A publicly available mobile app (on both Android and iOS) uses unencrypted HTTP to transmit credentials. While the traffic wasn’t outright malicious, it posed a serious privacy risk.
Rather than block the traffic, the SOC opted to educate the users on the dangers of using insecure apps — reinforcing the importance of encrypted communications.
Want to learn more about what we saw at Cisco Live San Diego 2025? check out our main blog post — Cisco Live San Diego 2025 SOC — and the rest of our Cisco Live SOC content.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
Share:
