I hereby claim:
- I am sushiwushi on github.
- I am sushiwushi2 (https://keybase.io/sushiwushi2) on keybase.
- I have a public key ASAq4-pYyqoXzprChLh02X99R9_PmrG84XzkcSW8pFtHFwo
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
1. Leaked JWT secret keys through JavaScript files | |
Zendesk is a support system used by many websites, some of them enabled JWT for single sign-on authentication https://support.zendesk.com/hc/en-us/articles/203663816-Enabling-JWT-JSON-Web-Token-single-sign-on | |
There maybe a possibility that the JWT secret token is leaked in JavaScript files, as shown in the report below | |
https://hackerone.com/reports/638635 | |
To search for it, grep (Ctrl + F) for "jwt" in website's Zendesk JavaScript files | |
References | |
https://jwt.io |