- Status Closed
-
Assigned To
nferrari - Private
Opened by nhlimon - 18.10.2025
Last edited by nferrari - 28.10.2025
FS#230 - Bug Bounty Report: Lack of Proof-of-Possession (PoP) in Access Tokens
Summary:
The OAuth implementation relies solely on bearer tokens (RFC 6750). Bearer tokens act like “keys to the kingdom” — anyone holding them gets full access. Without Proof-of-Possession (PoP) or sender-constrained tokens, a stolen token can be reused by an attacker from any device, IP, or session.
Steps to Reproduce:
Log in to the alwaysdata.com application and obtain a valid bearer access token (e.g., via browser dev tools).
Replay the same token from a completely different environment:
Another browser,
Another machine,
Or a proxy/intercepting tool.
Observe that the API/service still accepts the token without verifying the device, TLS channel, or binding key.
Impact:
Token Replay Attacks: Stolen tokens from XSS, CSRF, or insecure storage can be reused by attackers.
Session Hijacking: An attacker can impersonate users indefinitely until the token expires/revoked.
High-Severity Risk: Any token leak = full account compromise.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hi,
Please provide a demonstration.