Occassionally, I can see my username and password in plaintext as URL parameters. This seems to be a major security flaw??
There is no functionality that does anything with usernames and/or passwords as url parameters. Additionally, we never change the url you entered, which means that if there are any parameters, you either typed them in yourself, clicked on a link already containing them, or a 3rd party application/browser extension mangled with it.
Just to check: are you talking about our Dominion Online application at https://dominion.games ? What exactly does the suspicious url look like? What browser are you using, and do you have any extensions installed that might affect something like this?
Maybe this could happen with some old browser or some browser extension if there is javascript onSubmit error? The login form is missing method="post" and I think the default method is GET. GET method is submitted into the URL. Just a theory...
I'll add method="post" just to be sure.
I've attached a screenshot. I was using the dashlane browser, but I wouldn't think they would do that since it's supposed to be a secure password manager...