You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Through usage, we have found that the jwttoken code does not work properly, posing some potential security risks.
Details
The vulnerability is related to the Authorization header used for user login. After logging out, the token in the Authorization header remains valid and does not expire.
This vulnerability allows an attacker to use the token to gain unauthorized access to the application or system even after the user has logged out, leading to potential data breaches, unauthorized modification or deletion of sensitive data, or other malicious activities.
PoC
step 1: before changed the password and logged out we have a jwt code
step 2 changed the password and logged out we have new jwt code
Then we noticed these 2 jwt codes also existed at the same time.
Video POC test logout
bandicam.2023-11-28.09-35-57-727.mp4
Impact
The Jwttoken vulnerability can have a significant impact on the security of an application or system protected by a token. The main impact of this vulnerability is that the token can be used indefinitely by any user or attacker who has access to it. This can lead to unauthorized access to sensitive information, as the user or attacker can bypass authentication and gain access to the application or system without a valid username and password.
vncloudsco Reporter
Summary
Through usage, we have found that the jwttoken code does not work properly, posing some potential security risks.
Details
The vulnerability is related to the Authorization header used for user login. After logging out, the token in the Authorization header remains valid and does not expire.
This vulnerability allows an attacker to use the token to gain unauthorized access to the application or system even after the user has logged out, leading to potential data breaches, unauthorized modification or deletion of sensitive data, or other malicious activities.
PoC
step 1: before changed the password and logged out we have a jwt code
step 2 changed the password and logged out we have new jwt code
Then we noticed these 2 jwt codes also existed at the same time.
Video POC test logout
bandicam.2023-11-28.09-35-57-727.mp4
Impact
The Jwttoken vulnerability can have a significant impact on the security of an application or system protected by a token. The main impact of this vulnerability is that the token can be used indefinitely by any user or attacker who has access to it. This can lead to unauthorized access to sensitive information, as the user or attacker can bypass authentication and gain access to the application or system without a valid username and password.