Developers, Always, ALWAYS Trim white-space from User Input

I just finished reading a story about a bug in Hyundai and Genesis vehicles which allows unauthorized individuals to unlock the cars remotely. Full-disclosure, I’m a Genesis owner, so this one got my attention straight away.

Apparently the Genesis software makes a couple of crucial mistakes. First and foremost, they don’t require email address confirmation. Secondly, they are allowing garbage in the email field, including control characters. It’s not completely wide-open, but apparently the regex that they use to validate user input is pretty lax.

Well the security researcher who discovered the bug, Sam Curry, found out that if you knew the email of an existing user of the app and you added a CRLF to the end of the email, bad guys could register a new account with an existing email. They would then could get the authentication server to issue a JWT that matched the legitimate email, and of course exclusive use of JWT without any kind of back-end session wiring means that once a JWT is issued, it is considered valid until it expires. Without a backing session, there is no way, for example, to invalidate a valid, existing JWT. Redis, who admittedly has motivation to have you use one of their servers in conjunction with JWT for session management, nevertheless has an entirely valid paper on it, that I happen to strongly agree with. Another full-disclosure worth noting, I was responsible for implementing multi-logon single-session solution for a large payments company in roughly the…