Q&A

Answer

  • Passing sensitive or personal information as query parameters is generally considered a problem, as it is revealed in many ways that POST data isn't. See for instance the similar question "Should sensitive data ever be passed in the query string?" OWASP has a short description of the problem: Information exposure through query strings in url.

    The main problems are generally considered to be

    • Bookmarks and browser history if someone has access to the browser

    • Access logs at the intended recipient of the query (or any proxies between you and the recipient)

    • That the query parameters are included in the "referer" header sent to other servers.

    What makes this case particularly interesting is that the information in question is actually a signed ID token. It can conceivably be used to authenticate the users at other service providers (though this requires a broken implementation at a service provider, a type of confused deputy problem).

    Including ID tokens in this manner is actually encouraged by the OpenID Connect standard, as the id_token_hint. It can be POSTed, but most implementations (few as they are) that I have seen, use query parameters. So having the developers of your service change this could be challenging.Changed

14.0.0 - 2042-10-06

Added

  • Introduced animals into the world, we believe they're going to be a neat addition.