JWT token is found to be using weak encryption key i.e. HMAC
What is the Vulnerability?
JSON Web Tokens (JWT) are commonly used for securely transmitting information between parties as a JSON object. However, when JWTs are signed using HMAC (Hash-based Message Authentication Code) with a weak or hardcoded secret key, they become vulnerable to brute-force or dictionary attacks.
An attacker can exploit this by:
- Guessing or cracking the weak signing key.
- Forging tokens to impersonate other users or elevate privileges.
Impact of the Vulnerability
- Token Forgery: An attacker can generate valid JWTs and gain unauthorized access to protected resources.
- Privilege Escalation: Attackers can impersonate admin accounts or bypass role-based controls.
- Data Exposure: Sensitive endpoints may be exposed to unauthorized parties.
- System Compromise: In severe cases, system-level compromise can occur due to trust placed on the JWT.
This compromises authentication, authorization, and session integrity of the application.
Solution to Fix the Vulnerability
- If HMAC is used, ensure keys are at least 256 bits long and randomly generated.
- Avoid hardcoded, guessable, or short secrets (e.g., "admin", "123456").
- Prefer RS256 (RSA) or ES256 (Elliptic Curve) instead of HS256 (HMAC).
- These provide public/private key separation, which is more secure and scalable.
- Implement key rotation policies using kid (Key ID) header for version tracking.
- Always validate the token’s algorithm, expiration, and issuer/audience.
- Do not allow tokens signed with none algorithm.
- If using old libraries (e.g., jsonwebtoken < v8 in Node.js), upgrade immediately, as older versions may contain bypasses for weak keys.
- Avoid PHP JWT libraries that allow none as a signing algorithm without proper checks.