the jwt isnt tampered with. imgur servers did not validate the decoded payload m... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		apsurd on Sept 5, 2023 \| parent \| context \| favorite \| on: Login to any user account using other Facebook app... the jwt isnt tampered with. imgur servers did not validate the decoded payload matched their fb app id. it says in the docs be sure too match on the app id because fb isn't going through the ceremony of checking that your oAuth key is registered to a specific app id and therefore only valid together. app id is considered arbitrary payload metadata in this sense.

tiarafawn on Sept 5, 2023 [–]

This problem/attack is called "confused deputy". It's surprisingly hard to find a link that correctly explains the problem and its mitigations. This one is correct but not very verbose: https://medium.com/@fhbro/confused-deputy-c9e75eb7df00#8edf

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact