Donetick Weak Default JWT Secret Vulnerability Allowing Account Takeover
Vulnerability
A vulnerability exists in Donetick, an open-source task management application, prior to version 0.1.44, due to the use of JSON Web Tokens (JWT) for authentication with a weak default signing secret. This flaw allows attackers to forge tokens, leading to full account takeover of any user. The issue is present in both self-hosted and official live instances.
Impact
Exploitation of this vulnerability allows for full account takeover of any user.
Reproduction
To reproduce this vulnerability, use a version of Donetick prior to 0.1.44. The weak default JWT secret can be exploited by forging a token using the HS256 algorithm. This can be done by creating a payload that includes the user's ID and a future expiration date, and then signing it with the default secret. Once the forged token is created, it can be used to authenticate as the user whose ID was included in the payload.
Remediation
Users can update to Donetick version 0.1.44 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.