Researcher Warns About JSON Web Encryption Flaw

By HTMLGoodies Staff

According to Antonio Sanso, a senior software engineer at Adobe Research Switzerland, software libraries implementing the JSON Web Encryption (JWE), or RFC 7516, specification are vulnerable to invalid curve attacks. Web applications using some JWE protocols could allow attackers to retrieve private encryption keys. Affected libraries include go-jose, node-jose, jose2go, Nimbus JOSE+JWT, or jose4 with ECDH-ES.

"At the end of the day the issue here is that the specification and consequently all the libraries I checked missed validating that the received public key (contained in the JWE Protected Header) is on the curve," Sanso wrote.

View article



Make a Comment

Loading Comments...

  • Web Development Newsletter Signup

    Invalid email
    You have successfuly registered to our newsletter.
  •  
  •  
  •  
Thanks for your registration, follow us on our social networks to keep up-to-date