Hardcoded JWT to Millions of PII

June 5, 2024

When testing a company this week, I encountered a vulnerability where an authenticated user could exchange their authentication token for a second set of tokens for a secondary API. The user could then interact with an API where they could pass an enumerable account token belonging to another user to get access to their PII: DoB, Address, Phone Number, Transaction history, and account balances. While this was a solid finding, I wanted to find a way to exploit the vulnerability without an attacker needing to have accounts in the platform. This was mainly because the platform's KYC required sensitive information from the attackers before they could get an account, making it easier to detect who the person behind the exploit would be.

I decided to take Orion for the test and see if it had any helpful information extracted from its regular monitoring and scans. I already had the platform monitored. It turned out that it had some very valuable data for me! It detected and stored a hardcoded authorization token that the platform engineers used to debug the platform when it was built. The auth token itself had expired (based on the expiry epoch), but the platform's authentication middleware did not care about it. It would accept it if it could be validated as a valid authorization (signed correctly). After this, it was as simple as using this hardcoded auth token to generate the secondary auth token for the API and get access to the PII of every account in the platform. Since the token was hardcoded in a JS file, any malicious attacker could have easily extracted millions of customers' PII.

Takeaway: Always monitor and secure auth tokens, even those used in development.