Token of Misfortune: How a Refresh Token Leak Let Me Regenerate Unlimited Sessions
1 min read
Summary
A cybersecurity expert apparently discovered a loophole in a subdomain of a major international airline’s app which potentially gave access to unlimited privileged information to hackers.
The issue lay in the way the airline’s app was interconnected with a loyalty program through a refresh token which allowed a user to regenerate sessions and potentially gave unlimited access to privileged information.
If hackers had gained access to this token, they could have taken control of user accounts and potentially taken over unlimited accounts.
The expert discovered the issue and reported it to the airline which subsequently fixed the vulnerability.
The issue demonstrates the risks affiliated with refresh tokens and emphasizes the need for these to be included in privacy and security audits in the future.