Secure Website Login - Advice on potential flaws
Discussion
This evening I logged into a website that handles sensitive information (e.g. invoice/banking details etc.) and attempted to download a previous invoice. For some reason the download button didn't work.
Out of interest I decided to try a different browser (same machine), so I cut and pasted the URL from Safari to Brave. I was expecting to be asked to re-login but to my horror it went straight to my info.
I then transferred the URL to my work PC, one which has definitely never been used to browse that website and the same thing happened.
It also appears that the URLs do not expire promptly (it is still working 1.5 hours later)!
Out of interest I tried the same URL cut and paste trick on a number of other websites (including pistonheads.com) and none of them have this flaw
Firstly am I correct in believing this is using an out of date practice called a "Capability-URL"?
How should I proceed? I am not happy about continuing to use the site but currently I do not have a lot of choice.
Out of interest I decided to try a different browser (same machine), so I cut and pasted the URL from Safari to Brave. I was expecting to be asked to re-login but to my horror it went straight to my info.
I then transferred the URL to my work PC, one which has definitely never been used to browse that website and the same thing happened.
It also appears that the URLs do not expire promptly (it is still working 1.5 hours later)!
Out of interest I tried the same URL cut and paste trick on a number of other websites (including pistonheads.com) and none of them have this flaw
Firstly am I correct in believing this is using an out of date practice called a "Capability-URL"?
How should I proceed? I am not happy about continuing to use the site but currently I do not have a lot of choice.
jesusbuiltmycar said:
Firstly am I correct in believing this is using an out of date practice called a "Capability-URL"?
I doubt it's deliberate from the sound of things.I'd just contact them and let them know, you shouldn't need to give them your example, just how you got to the page with the URL. If they have a bug bounty programme that's ideal as you might get a payout. If they have a security.txt file that's a good sign and a way to get hold of the right people. If they're like most companies you'll probably just have to contact them via a front door route.
e.g. https://www.google.co.uk/.well-known/security.txt
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff