this is an awesome JWT bug: tell the receiver that RSA pub key is HMAC secret key -> verification passes! https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ …
-
-
Why would receiver ever trust sender? While I agree it's a protocol bug to allow this syntactically, it's more a receiver lack of validation
1 reply 0 retweets 0 likes -
Replying to @RichFelker @bcrypt
personally I don't expect library authors to think too hard about the spec they're implementing
2 replies 0 retweets 3 likes
Yes, but you always have to validate all input. This is inevitable.
9:39 AM - 8 May 2017
0 replies
0 retweets
0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.