It's possible to obtain secondary application password from the HTML source.
vulners.com/securityvulns/securityvulns:doc:8099