profile

Hi! I'm a Creator.

Still using local storage for JWT ? You need to read this🚨🚨🚨

publishedover 1 year ago
1 min read

Hello [FIRST NAME GOES HERE],

Long time no talk. How are you doing? How's your career going during these really weird times? I would love to hear how you're doing, let's talk!

I've been going through a lot for the past few months, and I haven't been able to create content or share any hot tips with you. I hope you've been doing great and thriving despite how this year turned out.

Something happened to me a few months back. I was contacted by a company I built a project for, and they told me they went through a really serious attack, and customer accounts were being hijacked using their JWTs. This was really sad to hear.

First of all, attackers got a hold of thousands and thousands of potential customer emails (I don't know how they got those), and blasted an email to them. This email contained a link, that when clicked, would execute a malicious script on our site to pull out the JWT. These tokens had an expiry of 1 month, and it was a complete disaster. They couldn't invalidate the tokens because that's not how JWTs work.

The only solution was to change the JWT secret, which not only affected the hijacked accounts, but all other customers that were logged in.

If this has never happened to you, you wouldn't know how risky it is to save your JWT in a cookie or in local storage.

Because of this event, I did a lot of research around how to implement JWT the right way, and I created a comprehensive and practical tutorial to share this information with you.

I really hope you learn something from the content I created. Please do not hesitate to share your feedback and thoughts. I'd also love to hear about what you've been up to, the latest technologies you've fallen in love with, and how your career is going.

Thanks a lot for reading so far. Wishing you the best in this new week !


kati-frantz-avatar

Professional software

instructor