Localize: User credentials are sent in clear text

Vulnerability description
User credentials are transmitted over an unencrypted channel. This information should always be transferred via an encrypted channel (HTTPS) to avoid being intercepted by malicious users.
This vulnerability affects /pages/sign_up.
Discovered by: MANUALLY
Attack details
Form name: <empty>
Form action: http://www.localize.io/pages/sign_up
Form method: POST

Form inputs:

CSRFToken [Hidden]
sign_up[type] [Radio]
sign_up[username] [Text]
sign_up[password1] [Password]
sign_up[password2] [Password]

HTTP headers
Request
GET /pages/sign_up HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://www.localize.io/
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: PHPSESSID=p7a9qe8eq7eeq8e3om99itrku5
Host: www.localize.io
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: /

Response
HTTP/1.1 200 OK
Date: Fri, 18 Apr 2014 04:18:21 GMT
Server: Apache
Pragma: no-cache
Expires: Mon, 24 Mar 2008 00:00:00 GMT
Cache-Control: no-cache, no-store
X-Frame-Options: sameorigin
Vary: Accept-Encoding
Content-Length: 5715
Keep-Alive: timeout=15, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Original-Content-Encoding: gzip

The impact of this vulnerability
A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.

How to fix this vulnerability
Because user credentials are considered sensitive information, should always be transferred to the server over an encrypted connection (HTTPS).