0

I was trying to use a state-owned mobile payment app to conduct some transaction on the internet and, thanks to an error message, I found out that my card number and the amount I'm paying were sent via a GET request.

Other data on the request: the name of the service and an HMAC. And, yes, it's on HTTPS but I don't believe this really helps if the data is in URL.

Is this secure? Shouldn't such details be sent over a POST or a PUT request? I'm not a security expert so maybe I'm missing something here.

ahmed
  • 245
  • 1
  • 7
  • 1
    Does this answer your question? [Are URL parameters of GET and POST requests over HTTPS secure?](https://security.stackexchange.com/questions/233795/are-url-parameters-of-get-and-post-requests-over-https-secure), [SSL with GET and POST](https://security.stackexchange.com/questions/12531/ssl-with-get-and-post) – Steffen Ullrich Apr 10 '21 at 17:06

1 Answers1

2

HTTPS protects the entire web request, which includes the url path and parameters. So the data being in the url doesn't make it any less securely transmitted. Only the domain name is exposed via SNI.

GET requests are avoided when transmitting sensitive information in web apps because the url containing sensitive information may be exposed in the user's browsing history (which may have misled you into thinking urls themselves were insecure). However, this is obviously a concern with web apps only. Since this scenario is a mobile app, you are fine from a security point of view.

nobody
  • 11,251
  • 1
  • 41
  • 60
  • That's good to know! Thanks a lot for the clear and quick response! – ahmed Apr 10 '21 at 17:03
  • 5
    +1. OP, not withstanding, it might also be worth considering that the full URL of GET requests are often logged on the server, in the web server logs. – mti2935 Apr 10 '21 at 17:17
  • @mti2935 Oops missed that aspect, thanks for adding that! (Though arguably if server logs are getting exposed, I guess you'll be having bigger problems) – nobody Apr 10 '21 at 18:39
  • 1
    @nobody I agree, much bigger problems if the server logs are exposed. But, this is why industry standards such as PCI, HIPAA, etc., prohibit storing sensitive information anywhere in plaintext. If the card number is being sent in the URL, I hope the server operator has disabled logging of GET requests (at least for these requests) - but this poses other problems (i.e. these logs are often needed for troubleshooting, analytics, etc). This just smells like a bad design to me. – mti2935 Apr 11 '21 at 10:38