Recently, I came across this story about how JWT (JSON Web Token) signatures still verify even when you change them just a little, and it really got me thinking💭
Normally, signatures are like the key to security, so I thought if even one character changed, it would definitely fail! But... what's going on?
What Exactly Is JWT Anyway?
Simply put, JWT is "a token used for user authentication and information exchange",
and it's divided into three parts👇
- Header (information about algorithms, etc.)
- Payload (user information, etc.)
- Signature (the part that proves it was properly created)
This signature is a hash of the header and payload using a secret key (= secret),
and it's an important part for verifying that it hasn't been tampered with✨
But Does It Really Verify Even With One Character Different?
Let me give you an example right away. Here's the original JWT👇 (the secret key is your-super-secret-jwt-key-change-this-in-production)
eyJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOjIsImVtYWlsIjoidGVzdDJAdGVzdC5jb20iLCJpYXQiOjE3NTk2ODc0OTYsImV4cCI6MTc1OTY4ODM5Nn0.clKrlPXTVNB0lpFClG0z3H2JWctC5BVGMfFj4DeJCqY
And here's one where I just changed the last character from Y to Z👇
eyJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOjIsImVtYWlsIjoidGVzdDJAdGVzdC5jb20iLCJpYXQiOjE3NTk2ODc0OTYsImV4cCI6MTc1OTY4ODM5Nn0.clKrlPXTVNB0lpFClG0z3H2JWctC5BVGMfFj4DeJCqZ
When I verify this at https://www.jwt.io/,
surprisingly both show "Verification Successful"😳
Why Does This Happen? Let's Look Behind the Scenes...
At first I thought "Could this be a bug?!" but actually, since JWT signatures are Base64URL encoded,
a one-character difference doesn't necessarily mean the bit level has changed💡
In other words, even if you change the last character slightly, the actual byte sequence might represent the same content✨
Also, simply put, JWT.io's verification tool might not perform complete regex or strict checking,
so it's possible it's accidentally overlooking errors🤔
To Summarize...
- JWT signatures are Base64URL encoded strings, so visual differences don't always mean meaningful differences
- That's why verification might pass even with one character changed
- Online tool verification results aren't always perfect
- In actual practice, it's safer to rely on libraries and frameworks✨
When you encounter these little "huh?" moments, you get a glimpse into the mechanisms of technologies you normally use without thinking, and it's pretty interesting🥺
If you're curious, I recommend trying it out yourself too〜👀💗
Hatena
Comments
ハンナ
It might just be extra data appended to the end of the signature.
ベン
I thought this was about the James Webb Telescope and got completely confused lol
