hookActionCustomerAccountAdd $params shows unencrypted password
Not sure if its a bug, but I am working on a module that connect to new user registration hook (hookActionCustomerAccountAdd) and I have noticed that the $params return all POST data including the password field.
I don’t know if its ok or not and if someone can use it to fetch users information.
You mean, a malicious module could steal that password?
Guessing by the hook name I assume it wants to enable creating user accounts elsewhere, e.g. on an LDAP server or in a nearby blog, wiki, whatever. For such actions one needs the password.