I was trying to use a state-owned mobile payment app to conduct some transaction on the internet and, thanks to an error message, I found out that my card number and the amount I'm paying were sent via a GET request.
Other data on the request: the name of the service and an HMAC. And, yes, it's on HTTPS but I don't believe this really helps if the data is in URL.
Is this secure? Shouldn't such details be sent over a POST or a PUT request? I'm not a security expert so maybe I'm missing something here.