(Question) about security

[johaven]

A lot of articles talk about to leave JWT because the architecture is vulnerable.

http://blog.websecurify.com/2017/02/hacking-json-web-tokens.html

This library (and PyJWT) are vulnerable to this hack ?

[vimalloc]

At a glance I do not believe this extension to be vulnerable to that type of attack for two reasons.

First, this extension doesn't currently support public/private key encryption for the JWTs (pull requests welcome for this!). So it only ever uses a secret key for signing the keys, which shouldn't be leaked like it was in that article.

Second, anytime we encode or decode a JWT, we use the algorithm defined in the extension here, which default to HS256. We never use the value that is defined in the JWT itself. That said, I do need to check the underlying PyJWT implementation and make sure it's doing what I expect it to be doing. I'll look closer into that for you later today.

Thanks for the interesting read :)

[johaven]

Thanks for your complete answer 👍

[vimalloc]

So, it looks like there was a problem with decoding tokens like what was outlined in the article. However, this was a bug with this application, not a problem with pyjwt (they use algorithms instead of algorithm for the decode argument, but **kwargs happily ate the algorithm argument I was passing in, so it didn't raise a runtime error).

Because this doesn't currently support public/private key encryption on the token, I can't think of any way this could be abused in the wild, as the attacker would still need access to your secret key in order to forge tokens. That said, I patched it and will release a new version with the patch ASAP, just to be sure.

Thanks! 👍