code

Account Takeover via JWT Misconfiguration

Written by Sagiv Michael on

Account Takeover via JWT Misconfiguration

Written by Sagiv Michael on


Introduction

In the fast-evolving mobile app security world, vulnerabilities often slip under the radar, posing significant risks to users and organizations. During a recent assessment of a client’s mobile application, our team identified a critical flaw in the implementation of JSON Web Tokens (JWT). The issue stemmed from a failure to verify the JWT signature on the server side, creating a severe vulnerability that could allow unauthorized access and even enable account takeovers with administrative privileges.

This misconfiguration is particularly concerning because it could allow attackers to bypass authentication mechanisms easily. We’ve previously discussed JWT vulnerabilities in depth in our article “Cracking JWT Vulnerabilities”. Building on that discussion, this article dives into a newly identified weakness, detailing our discovery process, the exploitation methods, and the necessary steps to safeguard against such attacks.

Reproducing the Issue

To understand the gravity of the misconfiguration, let’s walk through the steps we took to reproduce the issue:

Step 1: Extracting the Mobile Application Source Code

Decompiling the Android mobile application allowed us to access the Android bundle file, which contained crucial information about the API endpoints, including the LoginByOkta endpoint.

default.post(‘user/LoginByOkta’, {oktatoken:t.id_token})

Step 2: Crafting a Forged JWT

We did not have a valid Okta token, so we sent the request with an empty value via the oktatoken parameter to see how the application reacted. The API endpoint responded with a stack trace error message, indicating the JWT value is not well formed.

Causing a Stack Trace Error to Extract Further Technical Information

Step 3: Obtaining a JWT with Valid Structure

What if the server only checks for any valid structured JWT value (found on websites such as jwt.io, for example) that is not necessarily related to the Okta token and responds with its actual JWT value? Perhaps it will be empty and not associated with any user, but we will still need to know the valid JWT structure that the system uses.

By inserting a JWT with a valid structure taken from the jwt.io website into the value into the oktatoken parameter of the request to the LoginByOkta endpoint, the API surprisingly returned a response containing an empty JWT with valid structure that can be used in the system. We then noticed that the JWT payload contains a numeric user identifier.

Sending a Forged JWT Results in Providing the Actual Structure

Step 4: Exploiting the Misconfiguration

Once having the valid JWT structure, it was possible to tamper the value of the nameId parameter which symbolizes the user identifier by increasing its value, we were able to access any user in the system. This was possible as the system did not verify the JWT signature and therefore allowed to tamper the JWT payload.

Once a valid JWT value was returned by the system, we used a different API endpoint that returns details about the user based on its JWT payload. This concludes that we gained complete access to any user in the system, including administrator accounts, which was our final goal in compromising the system.

Bad Signature Validation Allows Access to Any User Account

Mitigation

If you have encountered any of the above scenarios, please follow the below instructions provided by Clear Gate for immediate mitigation and to prevent Account Takeover attacks further:

  • Handle unsuccessful authentication properly – Avoid returning an empty JWT upon unsuccessful authentication. Instead, return a token parameter with a null value to prevent adversaries from deducing the token structure.
  • Verify JWT signatures on the server side – The most crucial step is ensuring the server verifies the JWT signature. Proper signature validation mechanisms can achieve this.

Conclusion

The discovery of this critical misconfiguration underscores the importance of thorough security testing and robust implementation of authentication mechanisms. The potential impact of such vulnerabilities is profound, as adversaries could gain unauthorized access to any user account, including those with administrative privileges. This could lead to data breaches, unauthorized transactions, and severe reputational damage for the affected organization.

Organizations should prioritize cyber security risk assessments and penetration tests to mitigate risks in JWT deployments, which have become increasingly popular among companies developing SaaS products. Clear Gate, a trusted cybersecurity provider, offers in-depth manual penetration tests to help organizations strengthen their authorization mechanism security and protect valuable data from potential threats.

References