Anonymous

Yes, it’s not working because the JWT on site B is properly secured with a signature. But here’s what I did: I decompiled the APK and examined the authentication logic. I discovered that the app uses a different API endpoint and a different authentication workflow, where it adds a header similar to: Authorization: Token token=<same token format> After that, I intercepted the requests from the APK—but it took me almost a week because the app is heavily protected with: Anti-debugging Anti-root Anti-Frida SSL pinning Using my bypass method, I was eventually able to intercept the traffic and successfully achieve another account takeover by reusing the JWT from site B. I’m now waiting for the triage team to review it, since they’re having trouble bypassing the APK’s security mechanisms.

Another critical 🎯 0-click account takeover by cross-site JWT reuse While reviewing the auth flows across multiple domains in scope, I noticed something serious: Site A sets a simple token in a cookie (jwt=abc123…) Site B uses a full JWT in the Authorization header — the classic 3-part token (header.payload.signature), fully decodable and containing auth data inside it. When I decoded the JWT from Site B, I found it includes an auth header value identical to Site A’s format. So I registered an email on Site B that already exists on Site A → backend generated a valid JWT for the victim’s email. Then on Site A, I logged in with my attacker account, intercepted the login response, and swapped my JWT with the victim’s JWT created on Site B. I forwarded the response and… 💥 I was instantly logged into the victim’s account with full functionality — zero interaction required. Messy chain, but extremely effective. Happy hunting 👾🔥 #BugBounty #bugbountytip #bugbountytips #CyberSec

There is no email verification on either Site A or Site B. During reconnaissance on Site A, I observed that the authentication cookie uses a very short 20-character JWT-like token (3Xww67hjy1AH4eWmcyck). It cannot realistically be brute-forced, and there is no endpoint that exposes or leaks this token. While testing Site B, I noticed that it uses a full JWT (header, payload, signature). After decoding the payload, I found something critical: { "authToken": "4Xww67hjy1AH4emWcyCk", "emailDomain": "https://t.co/sEZ9emncds" } This means Site B embeds the authToken inside the JWT payload. I then registered an email on Site B that already exists on Site A, which caused Site B to generate a new token for that email. Using this generated token from Site B on Site A successfully allowed me to take over an existing account that was already registered on Site A.