I recently came across an API from a decent-sized SaaS company that, when accessed with a private API key, returns that same key in plaintext within a JWT in the response headers. I'm not the best at cybersecurity and I'm not sure if this is a big deal or just how things go. Should I let the company know about this, or is it considered acceptable practice?
4 Answers
This definitely raises a flag for security practices. Even if it’s not a vulnerability that qualifies for a bug bounty, it's not a great sign that they might not be thinking critically about how data flows through their system. If you're into security research, it could be worth checking out what else they might have overlooked.
I don’t see what the big deal is. If you already have the private key to access the API, then getting it back in the response doesn’t really give anyone any extra information. It's all about how secure the key itself is anyway.
It’s quite common for APIs to return the key in the response; however, including the API key inside the JWT doesn’t really add any value. In fact, it could be seen as a potential security risk. JWTs are supposed to be short-lived, while the API key often lasts longer, so tying them together could lead to issues if someone were to get hold of an older JWT. It's worth flagging this to the company, as it indicates they haven't fully considered security best practices.
Exactly! While it might not be an outright security flaw, it's definitely a sign that they need to improve their approach to secure data handling.
Are you sure you're not mixing this up with a refresh token situation? If it’s the same private key being sent back to you, it’s redundant in a way.
That’s true to an extent, but it still shows a lack of attention to security practices. Just because there's no immediate risk doesn't mean it shouldn't be improved.