SECURITY FLAW: exposure of sensitive information in the url parameters

[parteekxo]

The security flaw visible in the screenshot is the exposure of sensitive information such as a password (psw=demo) and email (email=demo%40gmail.com) in the URL parameters. This is a serious security concern for the following reasons:

Exposure of Sensitive Data: URL parameters are often logged in browser history, server logs, and analytics tools. Since sensitive data like passwords and emails are included in the URL, they could be exposed to unintended parties or logged in an insecure way.

Eavesdropping Risks: Even though the connection appears to be secured with HTTPS (as indicated by the lock symbol), sharing sensitive information in the URL can still be risky. For example, if someone shares the URL or it gets copied into logs, others may see the sensitive data.

Potential CSRF Vulnerabilities: Attackers could potentially craft malicious links containing parameters to trick users into performing unintended actions if URL parameters are used insecurely.

Recommendations:

Use POST Requests: For sensitive data like passwords and personal details, use POST requests instead of GET requests. POST data is not included in the URL and is more secure.
Avoid Storing Sensitive Data in URLs: Never expose sensitive information such as passwords in URLs.
Input Validation and Sanitization: Ensure proper validation and encryption of sensitive data before transmission.

[github-actions[bot]]

Thanks @parteekxo for raising this issue! We'll look into it.We hope you have made sure that a similar issue doesnt exist , if it does, kindly ask to be assigned on that issue