Make the Filtered Transactions URL secure
I just read this post
And it made me realize I've had issues with these sorts of URLs before, when i was a gainfully employed software tester.
An URL that displays with that kind of detail is inherently unsafe and prone to hacking. It gives details about the structure of the file system on the server, provides insights into the code design, and is prone to making small edits in the URL string itself which can enable a user to view stuff they shouldn't be allowed to view. In the case of the software I was testing, editing the URL could potentially allow you to see another person's data.
I don't know that that kind of hacking is available on Q-Simplifi, but there is a risk. The URL should never display anything but "app.simplifimoney.com"
This change should be the very highest priority of the product.
Anthony Bopp
Simplifi User Since July 2022Money talks. But all my paycheck ever says is goodbye
Comments
-
I disagree. The security of the system should not be based on "obfuscation", as these parameters will and need to be passed around whether they're in the URL or whether they're being POSTed in requests or through async/AJAX style calls. So they are available to be modified no matter what (just because you can't see them doesn't mean they're not trivial to intercept/inspect and modify). As long as both the server and client side abstracts, sanitizes and verifies the data, there's nothing inherently wrong with having URLs that you can link to with preset parameters.
0
