Use of JWT and insecure algorithm HS26
A recent security penetration test on our website resulted in the Zendesk JWT Single Sign on solution utilizing an insecure algorithm for the token encryption. The JWT is using HS256 instead of RS256. This is used for loading support chat and has become a vulnerability on our site, and assuming all other customers who use this JWT SSO solution have the same issue.Your website here: https://support.zendesk.com/hc/en-us/articles/4408845838874 states "Note: Zendesk does not support the RS256 and ES256 JWT algorithms.".
Are there plans to support this in the future? The lack of support of this algorithm may force us to look at another chat provider.
Por favor, entrar para comentar.