[euank]

I think you got a detail wrong.

I think that the app can only access all users registered with its api key. Same for passwords.

You say "all users registered on the site", the api says "Note, this can't be used to lookup just any user's password – the user must have been created by the API account."

[matthewmacleod]

However, the API key for any app can be discovered with zero effort, because it's included in each request. So you can retrieve the plaintext passwords for any user who has signed up with any app using the API.

Whoever created this monstrosity should be ashamed of themselves.

[rmc]

To reiterate: Any user of an app can look at the passwords of any user created with that app.

[Mithaldu]

Dammit, thanks, i corrected that.