Insufficiently Protected Credentials
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-522: Insufficiently Protected Credentials |
| OWASP | A02:2017 - Broken Authentication |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The code is storing user passwords inside the payload of JWT tokens. Since JWT payloads are only base64 encoded and not encrypted, anyone with access to the token can read the password.
Impact#
If exploited, attackers who obtain a JWT token can easily extract and steal user passwords, leading to account compromises, unauthorized access, and broader security breaches across your system or other services where users reuse passwords.