You are absolutely correct about that. The security team just did an assessment of Pega Web Mashup and found the issue. It is my understanding that this only occurs when we are doing configuration tasks during development and should not be seen in production.
If you find issues in any Pega Application, I would urge you to contact the SpyVsSpy team.
To further expand on Matt's remark, Pega Web Mashup has several capabilities designed to facilitate development, testing and debugging of complex mashup implementations. Allowing the use of stored credentials on a page is one of those. In addition, the Pega Gadget Manager is provided to allow developers to easily create gadgets; this UI tool is part of the Pega Gateway. While these Pega Web Mashup capabilities provide developers with some great tools they should never be used/deployed in production environments.
Lastly, it is a best practice to use token-based authentication for seamless or single sign-on for your website that embeds Pega gadgets.
See the PDN for more information about authentication with Pega Web Mashup.
I hope you find this information useful and thank you for your post!