A recent security penetration test on our website resulted in the Zendesk JWT Single Sign on solution utilizing an insecure algorithm for the token encryption. The JWT is using HS256 instead of RS256. This is used for loading support chat and has become a vulnerability on our site, and assuming all other customers who use this JWT SSO solution have the same issue.Your website here: https://support.zendesk.com/hc/en-us/articles/4408845838874 states "Note: Zendesk does not support the RS256 and ES256 JWT algorithms.".
Are there plans to support this in the future? The lack of support of this algorithm may force us to look at another chat provider.
Idea Submitted
Use of JWT and insecure algorithm HS26
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.