[Etzos]

The vendor does not have root on your machine or access to the loopback interface. Your machine's loopback interface should not be exposed through a SOCKS proxy unless you specifically tell it to do so (which is a terrible idea for reasons beyond just this situation).

[jMyles]

I see. So the loopback traffic occurs on the local machine, the password is decrypted, and only then sent over the regular HTTP(S) connection (with this last bit being the only traffic on the SOCKS)?

[jlgaddis]

Yes. Check your settings for your proxy to make sure you aren't sending traffic for localhost over the proxy.

(In Firefox, for example, it's excluded automatically.)