You're right. I just performed a packet capture of the site and login credentials are sent in plaintext although the username is hashed to md5. Not so good, and worse, it's hash WITHOUT A SALT! So it would be really easy to decode most user's passwords if you could grab their traffic. Or someone could insert their own page.
|