Account Takeover via JWT Misconfiguration
Written by Sagiv Michael, Penetration Tester at Clear Gate Cyber Security and Research.
This article is also available on our blog:
Introduction
In the fast-evolving mobile app security world, vulnerabilities often slip under the radar, posing significant risks to users and organizations. During a recent assessment of a client’s mobile application, our team identified a critical flaw in the implementation of JSON Web Tokens (JWT). The issue stemmed from a failure to verify the JWT signature on the server side, creating a severe vulnerability that could allow unauthorized access and even enable account takeovers with administrative privileges.
This misconfiguration is particularly concerning because it could allow attackers to bypass authentication mechanisms easily. We’ve previously discussed JWT vulnerabilities in depth in our article “Cracking JWT Vulnerabilities”. Building on that discussion, this article dives into a newly identified weakness, detailing our discovery process, the exploitation methods, and the necessary steps to safeguard against such attacks.
Reproducing the Issue
To understand the gravity of the misconfiguration, let’s walk through the steps we took to reproduce the issue:
Step 1: Extracting the Mobile Application Source Code
Decompiling the Android mobile application allowed us to access the Android bundle file, which contained crucial information about the API endpoints, including the LoginByOkta endpoint.
default.post(‘user/LoginByOkta’, {oktatoken:t.id_token})
Step 2: Crafting a Forged JWT
We did not have a valid Okta token, so we sent the request with an empty value via the oktatoken parameter to see how the application reacted. The API endpoint responded with a stack trace error message, indicating the JWT value is not well formed.
Recommended by LinkedIn
Step 3: Obtaining a JWT with Valid Structure
What if the server only checks for any valid structured JWT value (found on websites such as jwt.io, for example) that is not necessarily related to the Okta token and responds with its actual JWT value? Perhaps it will be empty and not associated with any user, but we will still need to know the valid JWT structure that the system uses.
By inserting a JWT with a valid structure taken from the jwt.io website into the value into the oktatoken parameter of the request to the LoginByOkta endpoint, the API surprisingly returned a response containing an empty JWT with valid structure that can be used in the system. We then noticed that the JWT payload contains a numeric user identifier.
Step 4: Exploiting the Misconfiguration
Once having the valid JWT structure, it was possible to tamper the value of the nameId parameter which symbolizes the user identifier by increasing its value, we were able to access any user in the system. This was possible as the system did not verify the JWT signature and therefore allowed to tamper the JWT payload.
Once a valid JWT value was returned by the system, we used a different API endpoint that returns details about the user based on its JWT payload. This concludes that we gained complete access to any user in the system, including administrator accounts, which was our final goal in compromising the system.
Mitigation
If you have encountered any of the above scenarios, please follow the below instructions provided by Clear Gate for immediate mitigation and to prevent Account Takeover attacks further:
Conclusion
The discovery of this critical misconfiguration underscores the importance of thorough security testing and robust implementation of authentication mechanisms. The potential impact of such vulnerabilities is profound, as adversaries could gain unauthorized access to any user account, including those with administrative privileges. This could lead to data breaches, unauthorized transactions, and severe reputational damage for the affected organization.
Organizations should prioritize cyber security risk assessments and penetration tests to mitigate risks in JWT deployments, which have become increasingly popular among companies developing SaaS products. Clear Gate, a trusted cybersecurity provider, offers in-depth manual penetration tests to help organizations strengthen their authorization mechanism security and protect valuable data from potential threats.