TP-Link Storing Device Passwords in Plain Text in Cloud Accounts

A user accessed a TP-Link Omada cloud account and discovered a serious security vulnerability in the "Device Account" section where stored credentials are kept. While the username was displayed in plain text and the password field appeared to be masked with asterisks for security, further inspection revealed that the actual password was stored in plain text. The user was able to expose this by simply changing the HTML field type from "password" to "text," demonstrating that TP-Link is not properly encrypting or hashing user passwords in their cloud storage system. This discovery raises significant security concerns about TP-Link's data protection practices and the safety of user credentials stored on their cloud platform.