Abusing JSON Web Token to steal accounts — 3000$

https://jwt.io/

Hello fellow hackers! 👋

My name is Filipe Azevedo, I am a Cyber Security Researcher from Portugal. I work mainly for Intigriti and Hackerone.

Today I’m going to show you a recent finding on a private program.

So, let’s go to the vulnerability.

What’s JWT?

JWTs provide a stateless solution to authentication by removing the need to track session data on the server. Instead, JWTs allow us to safely and securely store our session data directly on the client in the form of a JWT:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

The first part, HEADER, tell us the algorithm and token type.

The second, contains the payload itself, the information to pass.

Lastly, the verified signature, is what prevents the token from being edited.

You can know more about JWT here

Detection and exploitation of the vulnerability

I was looking for bugs such as XSS, SQL Injection, IDOR’S, but the target was pretty secure. So I start to search for bugs in the authentication flow.

I notice that the only difference between the two JWTs was the ID present on the payload. I found out that this value was the user’s account number. So, if I change my ID to the victim’s I could access any account.

How to find out the victim’s ID

There was no dedicated login and registration page. The user entered his email and clicked “Next”. The server would check the email and forward the user for login or registration.

But during this process, the ID was leaked. If the email existed, a request was sent with the email and the ID. Something like this:

email=victim@gmail.com&id=123456

Bug Reported: Apr 19, 2021

Bounty rewarded 3000$: May 31, 2021

For queries, you can DM on Twitter. Feedbacks are always welcome!

Thanks for reading.

Happy Hacking!!!

--

--

--

Ethical Hacker | Bug Bounty Hunter | CTF Player | https://linktr.ee/filipaze

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What Counts as PII (Personally Identifiable Information)?

What can I do with my XBE?

Cyberattacks old and new will inevitably make their way into the metaverse

Welcome to Metacoms ($METAC) Token Project

{UPDATE} Falldown 3D Hack Free Resources Generator

Intel® SGX Technology and the Impact of Processor Side-Channel Attacks | Fortanix Blog

Data Breaches: Privacy in the Digital Age

Dean Shapero of Loginhood: 5 Things You Need To Know To Optimize Your Company’s Approach to Data…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Filipe Azevedo | filipaze

Filipe Azevedo | filipaze

Ethical Hacker | Bug Bounty Hunter | CTF Player | https://linktr.ee/filipaze

More from Medium

How i was able to see Sensitive Information on One of the India’s best School Website.

Hunting for Bugs in Shopping/Billing Feature.

Hacking into Admin Panel of U.S Federal government system : C.A.R.S -without credentials.

Where do I find vulnerabilities -How to search for known exploits like a pro