>"I can confirm the mac address is sent in the clear"
Forgive me if I'm missing something about TCP/IP, but why does that matter? Couldn't a man in the middle get your mac address anyway?
If not, I don't see this as such a flaw. I think they must have meant that they store it as a hash in the database. That way your data in their db is not linked to your true self/computer.
First, the idea behind hashing the MAC is so that they don't know your actual address. This doesn't work as MAC addresses have too small a space for hashing to be useful.
Second, MAC address is only exposed on the local network. It is not transmitted over the Internet, it's only at the link layer to identify nodes.
The MAC address is a globally unique identifier of the network card in the computer - hence it's pretty useful to uniquely identify the machine/user. It's also very stable; unlike cookies or data stored in the registry it won't be changed by the user or removed by crapware removal programs.
Forgive me if I'm missing something about TCP/IP, but why does that matter? Couldn't a man in the middle get your mac address anyway?
If not, I don't see this as such a flaw. I think they must have meant that they store it as a hash in the database. That way your data in their db is not linked to your true self/computer.