Sometimes human stupidity still surprises me.

Today I was able to stop the release of a ticket at the last moment that intended to put urls WITH A SECURITY TOKEN TO ACCESS USER DATA through a link shortener.
Some PM assumed that it would be a reasonable course of action to map an url secured via jwt through to a 4 character, countable, base64 string so that we don't have to send multiple sms if they contain this url. I can accept that the implications might slip through one person but the fact that this was put into a ticket by a pm, prioritized by PO, estimated by an entire team, implemented by a professional developer, reviewed by a senior and then scheduled for release without anyone asking themselves if there might be a reason for a security token to be long, that one shocks me.

  • 1
    ... but the URL shortener masks the value so totally secure.

    I mean no one reads the link after redirection.
  • 1
    I forget does ssl mask the query parameters when a post is done ?
    So they couldn’t be sniffed out for example ?
  • 0
    @killames no it does not
  • 3
    @dan-pud so why would an access token be in the url ?
  • 3
    @killames Yeah, I have the same question. Why does the size of the "security token" matter if it is in the url? This sounds insecure by itself.
  • 3
    @Lensflare Query parameters are of course secured by ssl. Http as a whole is plain text, on the transport layer the only difference between data in the query or the body is if it's on the first or last line of the request.

    Just look at the encrypted request with Wireshark, all thats leaked is the domain to resolve to.
    Doesn't mean that I'm a fan though, makes our server logs into a valuable target and sms is a pretty insecure transfer but that doesn't mean that one needs to create a enumerable list of urls^^.
  • 0
    @Godisalie You're a good man for stopping that.
    4 chars and COUNTABLE is basically inviting anyone with some basic 1337 knowledge and an IQ above room temperature to try out some values.

    I am truly amazed how nobody else in that chain had a spare thought on it...

    IT education should put more effort into teaching basic security 101.
  • 0
    @Godisalie tis why I asked but doesn’t prevent two things

    Browser hijack or mitm

    Course I don’t know what would
    Web sucks
Add Comment