I recently went through a security analysis of our applications and there was a finding with the password recovery flow. It is indicated that the sent mail contains sensitive information in the “key” parameter, that an attacker who gains access to any location where the URLs are stored will be able to see the sensitive information that is passed through the query string. Is there an alternative or different way to make a password recovery flow, something like a single-use code.
Of which sensitive data you are talking of?
I received an email with a link like this
And when I decode it I get the following information.
Issuer (iss)
UserID in KC (sub)
E-mail (eml)
Client (azp)
Flow type (typ)
This information is considered sensitive.
The only real sensitive information is the email address.
Theoretically it isn’t needed for a credential reset, but I’m currently not aware if this is easy to eliminate in the generated JWT.
Finally use this implementation to replace the link, by an one time code