Nice to see the community has started discussing the security loopholes with open heart; after all it is being done with good intention to improve the product. Thanks to Carlos Gonzalez for his blog about showing how SAI_AE_DETAILS_GET can used to find PIISUSER’s password and here I am with my findings to get password in some other way.
1. Open http://host:port/MessagingSystem
2. Check Received Messages and then the details.
3.Here you have base 64 encoded username:password in Transport Header.
4.After you decode UElJU1VTRVI6c3RhcnQyMDEw you finally get the password PIISUSER:start2010.
It means even restricting the access to SE37(FM SAI_AE_DETAILS_GET) won’t actually help and having different passwords for various service users seem only solution to be more safe and secure.