I joined a small project, I noticed that in the project uses something like a token associated with a user journey. So the URL looks something like: https://host.com/sell/:jurneyID.
All data entered during by the user in the journey are associated with the jurneyID including email, personal information and so on.
That means when I go to https://host.com/success/:jurneyID I can see user data related to that journey.
There is no concept of a session which means that anyone who knows jurneyID can access this data.
In theory jurneyID is long randomly unique string and expires after two weeks, however, I still don't like this solution because:
- token string can be brute-forced
jurneyIDis part of the URL therefore can be extracted from logs, browser history, etc.
I'd like to ask if you know any resources which can prove that this solution is a bad idea, and does such vulnerability has its name?