Site icon API Security Blog

Linktree: Account takeover – improper validation of jwt signature (with regards to experiation date claim)

Some backend services did not properly validate JWTs. As a result JWT validation could be bypassed by setting the expiration date claim to a unix timestamp in the past, and abusing this for account takeover.
The expiration date claim of the JWT token was not properly handled. I was able to bypass validation by changing the expiration date to a date in the past.Read More

Exit mobile version