It's super safe putting an access token as URL paramater ... right?
My mom uses this certain website to send out birthday cards to her grandkids. She writes a silly poem, puts in a bunch of pictures, the site prints it up and mails it. Nice card. Cheaper than Hallmark. All that to say that this is a sophisticated and pretty well designed web site; they have developers who know their stuff. Today, she wanted to show someone a card she was working on. So she clicks the share button on her iPad. She doesn't know this is a Safari thing and not a website thing. Safari texts her friend a url. Basically this: https://app.---redacted---.com/not-a-real-url?access_token=blahblahblah-youknowwhatitlookslike They get her text message, click it and, bam 🤯, complete and total access to her entire account. Want to send a card? Sure! Send a thousand cards? Why not. Change her email and password? Go right ahead. We won't even email you to tell you we did any of that stuff! She finally asks me for help and I have her her log out, change her password. Nothing expires the
Continue reading on Dev.to Webdev
Opens in a new tab
