I just registered to ArcGIS Online to build my own map by adding Web Services.
Now when I do that, my ArcGIS-Online Cookie which contains my username, my token, my accountId, my role, my region, my culture etc. is send via REST to that URL I connect to.
I think this makes all the accounts pretty insecure. Or not? What do you think?