Are You Sure About That? JWT bugs from an automotive live hacking event

JSON Web Tokens are used everywhere: mobile apps, cars, single-sign-on flows, microservices, web apps — and they frequently ship with implementation errors. This talk walks through what a JWT is, how the signing and verification chain is supposed to work, and the categories of mistake that keep paying out at live hacking events: algorithm confusion, key handling failures, claim-validation gaps, and trust-boundary errors between the token issuer and the services that consume it. The examples are drawn from vulnerabilities I found during a recent automotive live hacking event, presented at a level that's useful whether you write the auth code or break it. You'll leave with a checklist of things to look for the next time a JWT shows up during testing.

Speaker Bio:
Michael Vieth is a seasoned application security engineer currently working on Apple's Red Team. Over the last decade he's worked across regulated finance, consulting, and Fortune 500 product security, with a focus on code review, threat modeling, tool building, and supply chain attacks. Outside the day job he competes in live hacking events, mentors junior AppSec engineers, does all the outdoor activities, and plays video games (League of Legends and oldschool runescape).