On https://jwt.io/, if I change “alg”: “HS256” to “alg”: “none”, then the signature still passes validation. I can then change the body contents at will. This seems to be the very bug that the blog post in the warning on the same page warns about (https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/)
To be clear: if the header is eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0
then the token validates even though a signature is present