I recently discovered something concerning while my mom was using a website to create and send birthday cards. She generated a link to share a project with a friend, which then included an access token in the URL. When the friend clicked it, they seemingly gained complete access to her account, with the ability to send cards or even change her password without any prompts for authentication. I'm mostly a front-end designer and usually leave security to the experts, but this whole situation raises a lot of red flags for me. Is it typical to include access tokens like this in URLs? What should be done to improve security in such implementations?
4 Answers
You're spot on! Many websites will send tokens via URLs for actions like email verification, but those should be one-time use and not give full account access. A good practice is to reset or expire tokens during sensitive actions like password changes. Definitely sounds like a security oversight on their end!
It's generally a bad idea to expose access tokens in URLs. They should ideally be stored in the Authorization header for security reasons. There are exceptions, like when you might need a one-time use token, but those should be time-limited and not tied to full account access. It sounds like this site isn't following best practices, and you might want to reach out to their support team about it.
Yeah, I agree! Exposing tokens like that can lead to significant security issues. It's alarming they let anyone access the entire account just through a simple link.
Even if the site looks good, it doesn't mean the back end is secure. Developers might be great at design but lack the know-how for secure coding practices. This isn't just a minor slip; it's like leaving a back door open.
True! Just because a site functions well doesn't mean it has secure coding behind it. It's super important to have solid security in place.
The bigger issue here is the potential for that access token to get logged in places like browser history or server logs, which can create huge vulnerabilities. It's not just about this specific implementation but how that token can leak through normal usage.
Definitely! Tokens in URLs can lead to unintended exposure very easily. Using HTTP headers or secure cookies is a much better approach.
Exactly! Using tokens in URLs can be common, but they should be heavily restricted. If it’s a JWT, check its contents with a decoder to see how it’s intended to work.