Summary
YourSpotify version <1.8.0 uses a hardcoded JSON Web Token (JWT) secret to sign authentication tokens. Attackers can use this well-known value to forge valid authentication tokens for arbitrary users.
Details
The following functions handling JWT processing in YourSpotify use the hardcoded string MyPrivateKey to sign and verify the tokens:
- Route
/spotify in server/src/routes/oauth.ts
- GitHub Link:
|
const token = sign({ userId: isOffline }, 'MyPrivateKey', { |
- Middleware
baselogged in server/src/tools/middlewares.ts
- GitHub Link:
|
const userId = verify(auth, 'MyPrivateKey') as { userId: string }; |
This JWT "secret" is the same in all installations and deployments of the application. It can easily be extracted from the source code.
This means that attackers can forge JWT signatures easily, either with custom tools or publicly available tools such as https://jwt.io/ or CyberChef.
Proof of Concept
After logging in with Spotify, the YourSpotify backend saves a signed JWT in the token cookie to save the authentication state of the current user. As an example, such a JWT may look like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiI2NWNlNzM5ZmNhNDhkZDI1ODk3NmE1OGEiLCJpYXQiOjE3MDgxMTAyMDIsImV4cCI6MTcwODExMzgwMn0.mIOWcMxJry4SXuD8_9ol4tUZE9sO_QfABUXv-CCUsC4
This token can be decoded using widely publicly available tools such as https://jwt.io/ or CyberChef. The token from this example decodes to the following JSON header and payload:
{
"alg": "HS256",
"typ": "JWT"
}
{
"userId": "65ce739fca48dd258976a58a",
"iat": 1708110202,
"exp": 1708113802
}As the signature secret is hardcoded and publicly available, attackers can bypass authentication by specifying the userId of any YourSpotify user, setting an appropriate expiration time in exp, and re-signing the JWT with the hardcoded secret MyPrivateKey.
The following CyberChef recipe can be used to demonstrate how easy this process is: https://gchq.github.io/CyberChef/#recipe=JWT_Sign('MyPrivateKey','HS256')&input=ewogICAgInVzZXJJZCI6ICJpbnNlcnQgYW55IHVzZXJJZCBoZXJlIiwKICAgICJpYXQiOiAxNzA4MTEwMjAyLAogICAgImV4cCI6IDIwMDAwMDAwMDAKfQ
To reproduce the issue, simply change the userId in the token to a valid value for your specific instance and change the token cookie to the new JWT.
It must be noted that attackers need knowledge of valid YourSpotify userId for successful exploitation. However, these IDs are MongoDB IDs and are not intended to be unguessable values.
Furthermore, the userId of all registered users can be obtained by any other registered user or guests using guest tokens by querying the /accounts endpoint. It is therefore likely that attackers can obtain a valid userId.
Impact
This vulnerability allows attackers to bypass authentication and authenticate as arbitrary YourSpotify users, including admin users.
RagingCactus Reporter
Summary
YourSpotify version <1.8.0 uses a hardcoded JSON Web Token (JWT) secret to sign authentication tokens. Attackers can use this well-known value to forge valid authentication tokens for arbitrary users.
Details
The following functions handling JWT processing in YourSpotify use the hardcoded string
MyPrivateKeyto sign and verify the tokens:/spotifyinserver/src/routes/oauth.tsyour_spotify/server/src/routes/oauth.ts
Line 25 in b205bfb
baseloggedinserver/src/tools/middlewares.tsyour_spotify/server/src/tools/middleware.ts
Line 58 in b205bfb
This JWT "secret" is the same in all installations and deployments of the application. It can easily be extracted from the source code.
This means that attackers can forge JWT signatures easily, either with custom tools or publicly available tools such as https://jwt.io/ or CyberChef.
Proof of Concept
After logging in with Spotify, the YourSpotify backend saves a signed JWT in the
tokencookie to save the authentication state of the current user. As an example, such a JWT may look like this:This token can be decoded using widely publicly available tools such as https://jwt.io/ or CyberChef. The token from this example decodes to the following JSON header and payload:
{ "alg": "HS256", "typ": "JWT" } { "userId": "65ce739fca48dd258976a58a", "iat": 1708110202, "exp": 1708113802 }As the signature secret is hardcoded and publicly available, attackers can bypass authentication by specifying the
userIdof any YourSpotify user, setting an appropriate expiration time inexp, and re-signing the JWT with the hardcoded secretMyPrivateKey.The following CyberChef recipe can be used to demonstrate how easy this process is: https://gchq.github.io/CyberChef/#recipe=JWT_Sign('MyPrivateKey','HS256')&input=ewogICAgInVzZXJJZCI6ICJpbnNlcnQgYW55IHVzZXJJZCBoZXJlIiwKICAgICJpYXQiOiAxNzA4MTEwMjAyLAogICAgImV4cCI6IDIwMDAwMDAwMDAKfQ
To reproduce the issue, simply change the
userIdin the token to a valid value for your specific instance and change thetokencookie to the new JWT.It must be noted that attackers need knowledge of valid YourSpotify
userIdfor successful exploitation. However, these IDs are MongoDB IDs and are not intended to be unguessable values.Furthermore, the
userIdof all registered users can be obtained by any other registered user or guests using guest tokens by querying the/accountsendpoint. It is therefore likely that attackers can obtain a validuserId.Impact
This vulnerability allows attackers to bypass authentication and authenticate as arbitrary YourSpotify users, including admin users.