Discovered March 2nd, 2012
Reported March 2nd, 2012
Status: Not Resolved
The beta SiriusXM web player stores the username and password in plain-text in the file "username.sol" located under the Macromedia flash settings folder located in your Application Data/Roaming folder.
The file is found in the flash local settings directory located at (via a Windows 7 profile path):
As an administrator with access to users' desktops, I was able to scan for and find multiple credential files on our client's desktops. After discovering, I contacted SiriusXM, who replied application security is taken seriously and would pass on this information to the developers. One month later, nothing has changed. The username and password for a users' SiriusXM account are still stored in plain-text in this file.
If you listen to SiriusXM online I would recommend that do you not store your credential information locally using the "remember me" feature and, until resolved, do not use the beta player.
Storing the username and password in plain-text is basic programming failure. The number of instances of data theft is staggering yet developers are still making these egregious mistakes during development.