So yes. The data contained in the URL query on an HTTPS connection is
encrypted. However it is very poor practice to include such sensitive
data as a password in the a ‘GET’ request. While it cannot be
intercepted, the data would be logged in plaintext serverlogs on the
receiving HTTPS server, and quite possibly also in browser history. It
is probably also available to browser plugins and possibly even other
applications on the client computer. At most an HTTPS URL could be
reasonably allowed to include a session ID or similar non-reusable
variable. It should NEVER contain static authentication tokens.
Been wondering this myself for a while, and had been too lazy to look it up until now. Interesting, a number a google services API do exactly this. I hope they eventually move away from it, because once a google account falls, the others fall very quickly.
But then again, AuthSub is deprecated, and OAuth is ridiculously overcomplicated.