一位安全测试人员在对公司移动API进行渗透测试时,发现了一个严重的安全漏洞:JWT使用了公开的HMAC密钥签名。通过伪造令牌并修改userId参数,攻击者可以访问任何用户的账户。该漏洞影响了拥有1180万用户的公司,并可能导致严重后果。 2025-10-10 11:1:14 Author: infosecwriteups.com(查看原文) 阅读量:6 收藏
It started as a routine penetration test. Little did I know I was about to uncover one of the most basic yet catastrophic security vulnerabilities imaginable in a company with 11.8 million users and $140 million in Series B funding.
Press enter or click to view image in full size
While testing their mobile API, Burp Suite flagged something that made me do a double-take:
Critical: JWT signed using well-known HMAC secret key. The key used was: XXXXMy first reaction was disbelief. Surely this had to be a false positive.
The Proof
I decided to verify the finding. Using their own JWT structure:
{
"iss": "redacted",
"expwe": 90001760027408,
"userId": 1813038, (*)
"iyat": 1760027408,
"sss": 17460027408
}With the secret “XXXX”, I generated a token and accessed their /v1/auth/ endpoint. It worked. Then came the terrifying realization - I could access ANY user's account by simply changing the userId parameter.
The Escalation
I wrote a simple Python script to demonstrate the impact:
import jwt
import requestsSECRET = "XXXX"
for user_id in range(1, 11):
token = jwt.encode(
{"iss": "redacted", "expwe": 90001760027408…
如有侵权请联系:admin#unsafe.sh