Site icon API Security Blog

Cloudflare Public Bug Bounty: Sign in with Apple generates long-life JWTs, seemingly irrevocable, that grant immediate access to accounts

The OIDC JWT token issued on a new Sign in with Apple ID to the Cloudflare Dashboard had an excessive lifetime. When intercepted by a malicious actor, it enabled impersonation of the affected user on multiple devices during the entire token validity period without the need to re-authenticate.
The issue was fixed by the engineering team and the lifetime of the generated JWT was significantly decreased.Read More

Exit mobile version