CVE-2024-57432 - Insecure Permissions in macrozheng mall-tiny 1..1: Hardcoded JWT Signing Keys and User Information Exposure

Macrozheng's mall-tiny 1..1, a popular open source e-commerce platform, is found to suffer from insecure permissions due to hardcoded JWT (JSON Web Token) signing keys and user information exposure, potentially leading to authentication bypass and unauthorized access.

Exploit Details

The mall-tiny application generates JSON Web Tokens (JWTs) for user authentication using hardcoded signing keys that do not change. User information is stored in the JWT payload, including data such as user ID, username, email, and roles. As a result, an attacker can create a forged JWT using the same hardcoded key to set his or her own user information, ultimately bypassing the authentication process and gaining unauthorized access to privileged resources.

To better understand the vulnerability, let's take a look at the following code snippet from the source code of mall-tiny:

private static final String JWT_SECRET = "mall-tiny";
...
public String generateToken(UserDetails userDetails) {
    Map<String, Object> claims = new HashMap<>();
    claims.put(CLAIM_KEY_USERNAME, userDetails.getUsername());
    claims.put(CLAIM_KEY_CREATED, new Date());
    claims.put(CLAIM_KEY_EMAIL, userDetails.getEmail());
    claims.put(CLAIM_KEY_ROLES, userDetails.getAuthorities());
    return generateToken(claims);
}
...
private String generateToken(Map<String, Object> claims) {
    return Jwts.builder()
            .setClaims(claims)
            .setExpiration(generateTimestamp())
            .signWith(SignatureAlgorithm.HS256, JWT_SECRET)
            .compact();
}

Here, the JWT_SECRET is hardcoded and remains unchanged, and the user information is explicitly compiled and added to the JWT payload. The token is signed and generated using the HS256 algorithm with the static JWT_SECRET.

Remediation

1. Developers should use dynamically generated signing keys for JWTs, eliminating the possibility of hardcoded keys being misused. One way of doing this is by implementing a process that periodically rotates the signing key, ensuring that attackers have a limited window to exploit a compromised key.

2. Instead of using user information directly in the JWT payload, the application can use a unique identifier to reference the user. For example, the user ID alone could be used as the primary means of referencing the user's identity and their associated permissions, reducing the opportunity for an attacker to craft a JWT with illicit user information.

Original References

1. Macrozheng's mall-tiny GitHub repository: https://github.com/macrozheng/mall-tiny

2. JSON Web Token (JWT) introduction and vulnerability explanation: https://jwt.io/introduction/

3. JWT Best Practices by OWASP: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.html

Conclusion

In conclusion, the mall-tiny 1..1 application is vulnerable to insecure permissions due to hardcoded JWT signing keys and user information exposure. The potential for authentication bypass and unauthorized access presents serious security concerns for developers and users. To address these issues, developers should implement dynamic signing keys and adopt proper means of referencing user identities in the JWT payload. As for users, be cautious when using applications with known vulnerabilities and stay informed about updates and patches that address security issues.

Timeline

Published on: 01/31/2025 17:15:15 UTC
Last modified on: 03/13/2025 14:15:34 UTC