muCommander before 0.8.2 stores credentials.xml with insecure permissions, which allows local users to obtain credentials.