GET /actions/claim-qr might lead to security leak
I realized that we are asked to pass
qr_hash as an url parameters in the
GET /actions/claim-qr endpoint. Because any valid
qr_hash alone can be used to claim the POAP, I would consider it as a sensitive secret input. While HTTPS protects traffic from being sniffed, server framework and middleware commonly log full URLs. This means
qr_hash can be accidentally leaked even if the developer has exercised abundant caution.
This obviously isn't an immediately exploitable vulnerability but I am afraid there might be POAP codes in server logs in the wild due to use of this endpoint.