Introduction

In the fast-evolving mobile app security world, vulnerabilities often slip under the radar, posing significant risks to users and organizations. During a recent mobile app assessment, our team discovered a critical flaw in the JSON Web Token (JWT) implementation. The server failed to verify JWT signatures, creating a serious vulnerability that could allow unauthorized access and potential account takeover with admin privileges.

This misconfiguration is particularly concerning because it could allow attackers to bypass authentication mechanisms easily. We’ve previously discussed JWT vulnerabilities in depth in our article “Cracking JWT Vulnerabilities”. This article explores a newly discovered JWT vulnerability, covering how we identified it, the exploitation techniques used, and key steps to prevent similar attacks.

Reproducing the Issue

To understand the gravity of the misconfiguration, let’s walk through the steps we took to reproduce the issue:

Step 1: Extracting the Mobile Application Source Code

Decompiling the Android mobile application allowed us to access the Android bundle file, which contained crucial information about the API endpoints, including the LoginByOkta endpoint.

default.post(‘user/LoginByOkta’, {oktatoken:t.id_token})

Step 2: Crafting a Forged JWT

We did not have a valid Okta token, so we sent the request with an empty value via the oktatoken parameter to see how the application reacted. The API endpoint responded with a stack trace error message, indicating the JWT value is not well formed.

Step 3: Obtaining a JWT with Valid Structure

What if the server accepts any valid-looking JWT, even if it’s not tied to Okta? It could return a default token and reveal the expected JWT format.

By inserting a valid JWT structure (from jwt.io) into the oktatoken parameter of the LoginByOkta request, the API returned an empty but valid JWT that the system accepted.

We then noticed that the JWT payload contains a numeric user identifier.

Step 4: Exploiting the Misconfiguration

Once having the valid JWT structure, it was possible to tamper the value of the nameId parameter which symbolizes the user identifier by increasing its value, we were able to access any user in the system. This was possible as the system did not verify the JWT signature and therefore allowed to tamper the JWT payload.

Once a valid JWT value was returned by the system, we used a different API endpoint that returns details about the user based on its JWT payload. This concludes that we gained complete access to any user in the system, including administrator accounts, which was our final goal in compromising the system.

Mitigation

If you have encountered any of the above scenarios, please follow the below instructions provided by Clear Gate for immediate mitigation and to prevent Account Takeover attacks further:

• Handle unsuccessful authentication properly – Avoid returning an empty JWT upon unsuccessful authentication. Instead, return a token parameter with a null value to prevent adversaries from deducing the token structure.
• Verify JWT signatures on the server side – The most crucial step is ensuring the server verifies the JWT signature. Proper signature validation mechanisms can achieve this.

Conclusion

The discovery of this critical misconfiguration underscores the importance of thorough security testing and robust implementation of authentication mechanisms. The potential impact of such vulnerabilities is profound, as adversaries could gain unauthorized access to any user account, including those with administrative privileges. This could lead to data breaches, unauthorized transactions, and severe reputational damage for the affected organization.

Organizations should prioritize cyber security risk assessments and penetration tests to mitigate risks in JWT deployments, which have become increasingly popular among companies developing SaaS products. Clear Gate, a trusted cybersecurity provider, offers in-depth manual penetration tests to help organizations strengthen their authorization mechanism security and protect valuable data from potential threats.

References

• OWASP – JWT
• Cracking JWT Vulnerabilities