Mahara Mobile before 1.2.1 is vulnerable to passwords being sent to the Mahara access log in plain text.