Thorsten Glaser and Axel Beckert reported that lynx, a non-graphical web browser, does not properly handle the userinfo subcomponent of a URI, which can lead to leaking of credential in cleartext in SNI data.