search

kylef / JSONWebToken.swift

Swift implementation of JSON Web Token (JWT).
http://jwt.io
BSD 2-Clause "Simplified" License
762 stars 226 forks source link

Critical Vulnerability Fix #16

Closed KSanthanam closed 9 years ago

KSanthanam commented 9 years ago

This is a fix for the critical vulnerability identified by Tim McClean in this article

kylef commented 9 years ago

@KSanthanam JSONWebToken in Swift is not vulnerable to this problem since you are explicitly stating which algorithms with the keys you want to use.

In the following example, we are explicitly supporting HS256 with the key secret and secret2. 

try JWT.decode("eyJh...5w", algorithms: [.HS256("secret"), .HS256("secret2")])

It's not possible for a user to downgrade to the none algorithm since it's not supplied. It's not possible to switch to HMAC because it isn't supplied (and also the library doesn't support it). It's not even possible to use any other algorithm than HS256 where the key is secret and secret2.

The developer is in full control of the allowed algorithms.