Security News > 2023 > January > Popular JWT cloud security library patches “remote” code execution hole
One popular use of JSON is the JWT system, which isn't pronounced jer-witt, as it is written, but jot, an English word that is sometimes used to refer the little dot we write above above an i or j, and that refers to a tiny but potentially important detail.
Loosely speaking, a JWT is a blob of JavaScript that is used by many cloud services as a service access token.
Well, cybersecurity news today is full of a revelation by researchers at Palo Alto that's variously described as a "High-severity flaw" or a "Critical security flaw" in a popular JWT implementation.
In theory, at least, this bug could be exploited by cybercriminals for attacks ranging from implanting unauthorised files onto a JWT server, thus maliciously modifying its configuration or modifying the code it might later use, to direct and immediate code execution.
Simply put, the act of presenting a JWT to a back-end server for validation - something that typically happens at every API call - could lead to unauthorised code infiltration.
According to the researchers, the bug existed in the part of Auth0's code that validated JWTs presented by remote users against the secret key stored centrally for that user.
News URL
Related news
- Whitepaper: Reach higher in your career with cloud security (source)
- Transforming cloud security with real-time visibility (source)
- Top 5 Cloud Security Automations for SecOps Teams (source)
- Microsoft lost some customers’ cloud security logs (source)
- How AI Is Changing the Cloud Security and Risk Equation (source)
- Strategies for CISOs navigating hybrid and multi-cloud security (source)
- Critical Apache Avro SDK Flaw Allows Remote Code Execution in Java Applications (source)
- Researchers Discover Severe Security Flaws in Major E2EE Cloud Storage Providers (source)
- Security Flaw in Styra's OPA Exposes NTLM Hashes to Remote Attackers (source)
- Apple Opens PCC Source Code for Researchers to Identify Bugs in Cloud AI Security (source)