API Method called New_user calls for email and password. Is this secure?

Question

I am trying to leverage the API's of an online registration system called EventBrite. I am wondering specifically about the user_new method. The following is an example of a request URL for this method:

https://www.eventbrite.com/xml/user_new?email=user@eventbrite.com&passwd=xxxxx

Where user@eventbrite.com is the email and xxxxx is the password. This method would be called from an ASP.NET application, but I can't help but questions the security of this...I am just passing someone's email and password as text in a URL? Can someone help me understand the level of security given this information, and how to make this secure?

More information on the method: http://developer.eventbrite.com/doc/users/user_new/

Answer 1

I think you're right to be a little concerned, not because of interception as noted by Marc in the comments, but perhaps just because the server logs will have your URL (with password) logged in it. See discussion here Are querystring parameters secure in HTTPS (HTTP + SSL)?

Answer 2

I work on Eventbrite's API team, so hopefully I can help you out here.

As mentioned in another answer, server logs are the primary point of vulnerability here. While we take appropriate measures to control around security -- we do have a better potential option for you (rather than the supported /user_new method).

Our preferred authentication method is OAuth (http://developer.eventbrite.com/doc/authentication/oauth2/), and when you send a user through this flow, a user that doesn't have an existing account on Eventbrite has the option to sign up during this flow.

I hope this will help you accomplish the task that you were aiming for.

Cheers!