JWT token in URL parameter

[simonmcl]

trafficstars

Is your feature request related to a problem? Please describe. The app i'm working on at the minute is undergoing a security audit. The auditors noticed a GET request adding a JWT token to the query string of a URL and flagged it as an issue for us to fix. The request is coming from the WC2 SDK. Can you take a look and make sure the token is not being leaked

[llbartekll]

we are still using https tho, I agree that sending a token in a header is a better practice. will keep you updated

[llbartekll]

Can you take a look and make sure the token is not being leaked

@simonmcl could you maybe share more context how the token could leak according to auditors?

[simonmcl]

@llbartekll here is the full content of the ticket:

Description: When the application opens, it sends a request containing the JWT token in the GET parameter. Sensitive authentication JWT token is included in the URL parameters of a GET request. This means that critical security information, which should be kept confidential, is exposed in the URL and can be easily intercepted by malicious actors.

OWASP ASVS 3.1.1

Verify the application never reveals session tokens in URL parameters.

CL MSS 1.9

No sensitive data, inluding PII, is shared with third-parties unless it is required for app's architecture.

Affected Hosts: relay.walletconnect.com

Impact:

Security Exposure: By including sensitive tokens in URLs, they become visible in web server logs, browser history, and potentially shared or cached links. This makes them vulnerable to unauthorized access and abuse.

Data Leakage: If these tokens are mishandled, they can be exposed to third-party websites, search engines, or other intermediaries. This can lead to data leakage and compromise of sensitive user data or API access.

Session Hijacking: Session tokens, when exposed in URLs, become an easier target for session hijacking attacks. Attackers can easily access and manipulate these tokens, taking control of a user's session or impersonating them.