I was thinking about doing some integration against Pocket for saving my Firefox links when I log out of my machine at night. However, when I went and looked at the offered API here is what I saw:

https://readitlaterlist.com/v2/add?username=name&password=123&apikey=yourapikey&url=http://google.com&title=Google 

This is a POST request that you make when you want to add something to your Pocket list.

Notice anything strange?

Take another look.

They are expecting you to send the users password as part of the URL! WTF? Not an encrypted or otherwise obfuscated password, but the actual password.

I’m sorry, Pocket, but I’m really not going to play this game with you any more.