Security News > 2023 > January > Popular JWT cloud security library patches “remote” code execution hole
One popular use of JSON is the JWT system, which isn't pronounced jer-witt, as it is written, but jot, an English word that is sometimes used to refer the little dot we write above above an i or j, and that refers to a tiny but potentially important detail.
Loosely speaking, a JWT is a blob of JavaScript that is used by many cloud services as a service access token.
Well, cybersecurity news today is full of a revelation by researchers at Palo Alto that's variously described as a "High-severity flaw" or a "Critical security flaw" in a popular JWT implementation.
In theory, at least, this bug could be exploited by cybercriminals for attacks ranging from implanting unauthorised files onto a JWT server, thus maliciously modifying its configuration or modifying the code it might later use, to direct and immediate code execution.
Simply put, the act of presenting a JWT to a back-end server for validation - something that typically happens at every API call - could lead to unauthorised code infiltration.
According to the researchers, the bug existed in the part of Auth0's code that validated JWTs presented by remote users against the secret key stored centrally for that user.
News URL
Related news
- How AI Is Changing the Cloud Security and Risk Equation (source)
- Strategies for CISOs navigating hybrid and multi-cloud security (source)
- AWS unveils cloud security IR service for a mere $7K a month (source)
- Are Long-Lived Credentials the New Achilles’ Heel for Cloud Security? (source)
- Best CSPM Tools 2024: Top Cloud Security Solutions Compared (source)
- CrowdStrike vs Wiz: Which Offers Better Cloud Security and Value? (source)
- CISA Mandates Cloud Security for Federal Agencies by 2025 Under Binding Directive 25-01 (source)
- OvrC Platform Vulnerabilities Expose IoT Devices to Remote Attacks and Code Execution (source)
- Enhancing visibility for better security in multi-cloud and hybrid environments (source)
- Microsoft Fixes AI, Cloud, and ERP Security Flaws; One Exploited in Active Attacks (source)