[mwfunk]

They've already screwed over their users to such a degree with this implementation that the only sane thing to do is to warn all of the user base to stop using it at once and never go back.

What's described in this article indicates a level of incompetence far beyond any hope of forgiveness by those users. If there was any reason at all to trust the API's designers, then what you describe would be the correct response, but this is very much a case where the only rational response is to tell everyone to leave immediately, forever. It's truly an unforgivable lapse of technical judgement.

It's not the way it is because of some honest mistake that someone made, like most security bugs are. This was by design, and it's bad enough that there's no reason to believe that the designers are capable of coming up with a better design.

EDIT: As others have pointed out, he did warn them. Even more WTF then!

[citricsquid]

I think saying that he "warned them" is a bit dishonest. He said the following as a side note 4 years ago:

    I've just checked and you can obtain the password through an API call 
    after you register a new API user.

They designed this functionality so they clearly knew it was possible, what he didn't do was explain the impact (take public key from app -> request user password) and if he hasn't notified them since that post it's entirely possible that they never had a reason to reconsider that (awful) decision. That post 4 years ago can't really be considered "responsible disclosure".

[icebraining]

Not trying to excuse Criticker, but from my POV as a user, this isn't exactly Mt.Gox or a bank; it's a website to rate movies, and all the information you put there is already public. All someone can do with my password is rate movies on my behalf.

Again, this doesn't excuse them, especially since we all know people reuse passwords. I'm just saying that the site is useful even if you know everyone can get in.

[makaveli8]

A lot of people reuse passwords across multiple sites - so nab their plain-text password + find out their email address, and you likely able to log into various other services using their credentials.