[pyre]

As others are saying, using a GET request embeds that password in the URL, which means that server logs on eBay's side will have your password in them. Server logs aren't always the most protected thing in terms of locking down systems and permission management. On the flip side, most server logs do not have POST/PUT data logged.

[jyounker]

Ummm... you're assuming that eBay is using a standard web server configured in some default manner. It's far more likely that this is communication with a custom authentication server of some sort. (Where server means a very large collection of machines.)

[pyre]

It's likely that eBay's internal infrastructure has compensated for this, but it also seems like a potentially overlooked aspect of their system. Even if there are no server logs per se (unlikely), they might be sending request logging information to some sort of analytics server. Since these requests are internal, it's also possible that it's not SSL-protected meaning that people internally could eavesdrop on the requests.

[venomsnake]

But the requests were POST in the picture.

Edit: They do also send GET ... that is worse.