well, you're in luck, they are JWTs in fact. JWTs in JWTs, so extra secure. | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		milkshakes 6 months ago \| parent \| context \| favorite \| on: One Token to rule them all – Obtaining Global Admi... well, you're in luck, they are JWTs in fact. JWTs in JWTs, so extra secure.

Freak_NL 6 months ago [–]

And of course, because the inner JWT is already signed, why bother signing the outer one? Just validate the inner one!

I'm feeling sorry for those poor abused JWTs in this vulnerability.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact