Security News > 2023 > January > Popular JWT cloud security library patches “remote” code execution hole

One popular use of JSON is the JWT system, which isn't pronounced jer-witt, as it is written, but jot, an English word that is sometimes used to refer the little dot we write above above an i or j, and that refers to a tiny but potentially important detail.

Loosely speaking, a JWT is a blob of JavaScript that is used by many cloud services as a service access token.

Well, cybersecurity news today is full of a revelation by researchers at Palo Alto that's variously described as a "High-severity flaw" or a "Critical security flaw" in a popular JWT implementation.

In theory, at least, this bug could be exploited by cybercriminals for attacks ranging from implanting unauthorised files onto a JWT server, thus maliciously modifying its configuration or modifying the code it might later use, to direct and immediate code execution.

Simply put, the act of presenting a JWT to a back-end server for validation - something that typically happens at every API call - could lead to unauthorised code infiltration.

According to the researchers, the bug existed in the part of Auth0's code that validated JWTs presented by remote users against the secret key stored centrally for that user.

News URL

https://nakedsecurity.sophos.com/2023/01/10/popular-jwt-cloud-security-library-patches-remote-code-execution-hole/