Another browser opens URL without logging in

Question

I was required to log in and pay an invoice but for some reason the website did not work with Safari due to a cookie issue as suggested by the alert banner and asked me to use a different browser. I grabbed the complete URL of the logged in page and pasted it into Firefox and to my surprise I was immediately logged in. Anytime I've done this exact same step for any other website it requires you to log in again. This page has sensitive information and I'm pretty confident that there's something wrong but I don't know the security issue it's having or how or who I should report this too. What is the security issue and what is the best way to report this?

Answer 1

It is not necessarily a security issue. May be they keep all the data in a session on the server side and embed session ID into URL. That's why it is absolutely normal that if you use this URL in another browser, you join the same session, without login, without any tricks like copying cookies. In such case it is not a security issue, because HTTPS/TLS connection cannot be decrypted by anyone who intercepts your traffic. Thus, nobody except you knows the session ID in the URL. And as long as you don't allow anyone to access your browser when you open this website, nobody will guess this URL and thus nobody will be able to access your session data. To be sure, contact the customer service of that website.

Also, in case there are not much data, this website may encode all the data into URL including some authentication token. Then session is not needed at all. Safari supports URLs up to 80 K, Chrome up to 2 MB, Firefox up to 64 K.