There's actually three lessons to be drawn from this incident:
1. Don't use JWT, it's too easy to mess up.
2. If you're trying to fence off some sort of format or API, whitelist things, don't blacklist them.
3. This narrative that "you should use a third-party authentication provider because they're security experts and are much less likely to get it wrong"... well... I think you can see where I'm going with this.
1. Don't use JWT, it's too easy to mess up.
2. If you're trying to fence off some sort of format or API, whitelist things, don't blacklist them.
3. This narrative that "you should use a third-party authentication provider because they're security experts and are much less likely to get it wrong"... well... I think you can see where I'm going with this.