Comment 1 for bug 1929037

I have realized, that this bug is more seriouos than I thought. Landscape provides API, and crucially, while API is using through HTTP requests, all secrets are send via GET parameters, for example (https://landscape.canonical.com/static/doc/api/requests.html):
https://landscape.canonical.com/api/
    ?action=GetComputers&
    access_key_id=0GS7553JW74RRM612K02EXAMPLE&
    signature_method=HmacSHA256&
    signature_version=2&
    timestamp=2011-08-18T08%3A07%3A00Z&
    version=2011-08-01&
    signature=W1TCDh39uBCk9MlaZo941Z8%2BTWqRtdgnbCueBrx%2BtvA%3D
All GET parameters will be shown at /server-status endpoint. The attacker can't create arbitrary API request, because he hasn't API secret key, but he can repeat requests performed by legitimate users within some timeframe.
For example, he can get private information by repeating GetSettings API request, or perform unauthorized actions using RebootComputers API request.