Sherif reported that the mobile link seems to be appending POST fields when generating the url, so after submitting a username/password, the password is in the text of the resulting page.
curl -i -s -k -X 'POST' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0' -H 'Referer: http://en.wikipedia.beta.wmflabs.org/w/index.php?title=Special:UserLogin&returnto=Main+Page' -H 'Content-Type: application/x-www-form-urlencoded' \ -b 'GeoIP=GB::51.5000:-0.1300:v4; centralnotice_bucket=1-4.2; uls-previous-languages=%5B%22en%22%5D; mediaWiki.user.sessionId=YI03bpxPjata58Fp5ZwwvIEB1r9p3PZs; enwikiSession=414940d3638c0d8c1bc3899d56b23f1a' \ --data-binary $'wpName=%27%27&wpPassword=%27%27&wpLoginAttempt=Log+in&wpLoginToken=3037b08023402e508455f7340476341c' \ 'http://en.wikipedia.beta.wmflabs.org/w/index.php?title=Special:UserLogin&action=submitlogin&type=login&returnto=Main+Page'
Version: unspecified
Severity: normal