Java : Privacy violation in JWT-token
Classification
Overview
Privacy of personal user data may be violated. This can break the law and harm the reputation of the application.
The JWT-token is a string consisting of three parts, each of which is encoded with base64. Base64 encoding does not encrypt or protect the data, it just represents it in an ASCII character sequence.
Valuable personal data may get into the application from a variety of sources: directly from the user, from a database, from a third party storage. Often, this data is not marked as confidential or are valuable not by itself but only in a certain context.
Often, security and privacy of personal data conflict. From a security perspective, it is necessary to record information on all the activities in the system as detailed as possible, to later reveal traces of malicious actions. From the standpoint of privacy, on the contrary, the confidential information logging increases the risk of its leak. In this case, privacy should have a higher priority.
References
- OWASP Top 10 2017-A3-Sensitive Data Exposure
- OWASP Top 10 2013-A6-Sensitive Data Exposure
- CWE-359: Exposure of Private Information (‘Privacy Violation’)
- Hacking JSON Web Tokens (JWTs) - The Startup
- JSON Web Token for Java - OWASP Cheat Sheet Series
- CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration