Auth0 Home Blog Docs

"alt": "none" validation bug on jwt.io

vulnerability

#1

On https://jwt.io/, if I change “alg”: “HS256” to “alg”: “none”, then the signature still passes validation. I can then change the body contents at will. This seems to be the very bug that the blog post in the warning on the same page warns about (https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/)

To be clear: if the header is eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0
then the token validates even though a signature is present


#2

Thanks for letting us know, I have logged this with the engineering team to fix.


#3