Technical Support

I realized that we are asked to pass qr_hash as an url parameters in the GET /actions/claim-qr endpoint. Because any valid qr_hash alone can be used to claim the POAP, I would consider it as a sensitive secret input. While HTTPS protects traffic from being sniffed, server framework and middleware commonly log full URLs. This means qr_hash can be accidentally leaked even if the developer has exercised abundant caution.

This obviously isn't an immediately exploitable vulnerability but I am afraid there might be POAP codes in server logs in the wild due to use of this endpoint.