Unauthenticated OpenID Connect JWKS Endpoint

[dalpan]

Summary:

A vulnerability has been discovered in the OpenID Connect JWKS (JSON Web Key Set) endpoint at *.portkey.finance/.well-known/jwks. This vulnerability allows unauthenticated access, which can be exploited for a variety of malicious purposes.

• auth-portkey.portkey.finance/.well-known/jwks
• auth-portkey-test.portkey.finance/.well-known/jwks

OWASP Classification: A10 - Broken Authentication

Description:

The OpenID Connect JWKS (JSON Web Key Set) endpoint at *.portkey.finance/.well-known/jwks does not require authentication, allowing unauthorized access. This can be exploited by attackers for a variety of malicious purposes, including key theft, DoS attacks, and MitM attacks.

{
    "keys": [
        {
            "kid": "4D5B8184382F8A5DC6407FA7A6FCE1F7B19AD9C0",
            "use": "sig",
            "kty": "RSA",
            "alg": "RS256",
            "e": "AQAB",
            "n": "rG753ZTqu4C0rJLmgU9lXo1pi5EVMLkoKFK5CJvZ62kYi1f8HuD9Fass13GIq18IbSpd0xersZYtKM98rw7ARIyYZgfNIiomzZs-vO1ef-jzxdfvguigKuqE9LJZYPSCXCdOi5mGAWywG-EYlsUxJZfmNgoz2Qb72TPGhi_ve9UFb7FrVkn8e5xJo5ugtRvQRPsWIP5qT-M3YvzERGpGnTmnifjLZe2Or7QOQ521FTaaWI8QSYgr_U7mkR5pSO1865l3_Q4Qq4OC-ZlRVvrnvZzWE5ml-5cgCokILjcRWNLTVYbAdVgBqrK5Cpugl7uTE0DYOggxEOvj5tFNohtvpQ",
            "x5t": "TVuBhDgvil3GQH-npvzh97Ga2cA",
            "x5c": [
                "MIIC9TCCAd2gAwIBAgIJANX+sK7CV4tVMA0GCSqGSIb3DQEBCwUAMDAxLjAsBgNVBAMTJU9wZW5JZGRpY3QgU2VydmVyIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMjQwMTMxMDkxNzU2WhcNMjYwMTMxMDkxNzU2WjAwMS4wLAYDVQQDEyVPcGVuSWRkaWN0IFNlcnZlciBTaWduaW5nIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArG753ZTqu4C0rJLmgU9lXo1pi5EVMLkoKFK5CJvZ62kYi1f8HuD9Fass13GIq18IbSpd0xersZYtKM98rw7ARIyYZgfNIiomzZs+vO1ef+jzxdfvguigKuqE9LJZYPSCXCdOi5mGAWywG+EYlsUxJZfmNgoz2Qb72TPGhi/ve9UFb7FrVkn8e5xJo5ugtRvQRPsWIP5qT+M3YvzERGpGnTmnifjLZe2Or7QOQ521FTaaWI8QSYgr/U7mkR5pSO1865l3/Q4Qq4OC+ZlRVvrnvZzWE5ml+5cgCokILjcRWNLTVYbAdVgBqrK5Cpugl7uTE0DYOggxEOvj5tFNohtvpQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAKI0sS+1SWLGeXo9zjh+bjlyFij6rwut0BNHBsE4GYpwS3cbdkpc88zJ54q8Mi6smhgwC796OWrAJMaVXPtoiEWo456aO2qMNe8evJGL7mdPPtI1PULIt8bfPKIz88wZpL3Ub7ldGTVOJyOFgime1P1zM/NWPBJBqSJtZFnOzK9pXAoovZRto68On+XZJdHbZkWCvf1T0lemdNDvfnYo/Y8ZBZUcU9ZuLo0pa4SLKjx9Dy434DBtQV2yqNDhnzxndPGjyo5NG/CDntgA2gY9Yi/GM97FaMKxHuDSxgWpzXK069aDPcUoeZwPk2mdkMF3QRrxJ3Rg+n88Dltwll3H5T8="
            ]
        }
    ]
}

Impact:

• Key Theft: Attackers can steal the private keys used to sign JWTs, allowing them to forge user identities and access protected resources.
• Denial-of-Service (DoS) Attacks: Attackers can flood the endpoint with requests, making it unavailable to legitimate users.
• Man-in-the-Middle (MitM) Attacks: Attackers can intercept communication between clients and the endpoint, steal JWTs, and use them to access protected resources.

Mitigation:

• Enforce authentication: Require authentication before allowing access to the JWKS endpoint.
• Restrict access: Limit access to the JWKS endpoint to only authorized clients.
• Use IP blacklisting: Blacklist IP addresses suspected of malicious activity.
• Monitor activity: Monitor activity on the JWKS endpoint for suspicious activity.

Recommendations:

• Patch this vulnerability immediately to prevent further exploitation.
• Follow best practices for OpenID Connect, such as using HTTPS and implementing strong access controls.

OWASP References:

• OWASP Top 10: A10 - Broken Authentication https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication
• OWASP Cheat Sheet Series: Broken Authentication https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
• OWASP Testing Guide: Broken Authentication https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication

[Ian-potter]

Users can use this interface's data to verify the validity of the jwt tokens we issue. This is the industry-standard method for validating jwt tokens.