How not to write an API

You might have heard of a little web service called Criticker. It's a really great resource for finding film recommendations and I've used it extensively myself.

Some time ago they came up with an API and I started working on an Android app to make use of it. Before I finished mine, this excellent one by Mobulasoft hit the store. I pretty much gave up with it after that.

Fast forward a few years and I was looking for a little project to work on.

Edit: I'd contacted Criticker about the issue and they have issued a fix, taken the API down for review and requested I remove the post. I've removed the exact steps I took to reproduce the issue and following is a condensed description of the problem:

The API has a method for retrieving the list of users who signed up through the application.

It also has a method for retrieving the password of any user who signed up via the application.

An application is identified by a key which Criticker issue to the developer, but it was trivial for a malicious 3rd party to discover it. Using that key, the above two calls could be made to retrieve the passwords for all users who had signed up through the given app.