You can verify this in many ways. For example, if you change your email (options/change email) it asks you to enter your password. The password is then sent via the URL -- look in the URL section of your browser and you will see your unencrypted password.
I didn't look at it extensively, but the OP appears to be incorrect:
Code:
var cObj = YAHOO.util.Connect.asyncRequest('GET',encodeURI('/SharkScope/ChangePassword?Username='+Username+'&Password='+hex_md5(document.changepasswordform.OldPassword.value)+'&NewPassword='+hex_md5(document.changepasswordform.NewPassword.value))+NoCacheURL(),callback,null);
What matters is not that the site displays "http" with a field on the page for the login and password. What matters is how that password is sent to the server.
Like two days ago a guy posted a link to sharkscope in which you could see his loginname and the password as md5 hash.
I did need like 30 secs to get his password and finally tried to login, obv it did work.
I asked a mod to remove the link and also wrote a PM to the guy that I know his password and he should remove the link, because others could do some crap with it.
