Authorization Token Never Expires in answerdev/answer


Reported on

Feb 24th 2023


The vulnerability is related to the Authorization header used for user login. After logging out, the token in the Authorization header remains valid and does not expire. Additionally, the token has an excessively long duration of 10 hours, as confirmed by a request.

This vulnerability allows an attacker to use the token to gain unauthorized access to the application or system even after the user has logged out, leading to potential data breaches, unauthorized modification or deletion of sensitive data, or other malicious activities.

Proof of Concept

curl -i -s -k -X $'POST'
-H $'Host:' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0' -H $'Accept: /' -H $'Accept-Language: en_US' -H $'Accept-Encoding: gzip, deflate' -H $'Authorization: 79529c05-b3ec-11ed-8492-0242ac110002' -H $'Content-Type: application/json' -H $'Content-Length: 78' -H $'Origin:' -H $'Connection: close' -H $'Referer:' -H $'X-PwnFox-Color: blue'
--data-binary $'{"display_name":"mailtest","email":"","password":"Passowrd"}'


The "Authorization Token Never Expires" vulnerability can have a significant impact on the security of an application or system protected by a token. The main impact of this vulnerability is that the token can be used indefinitely by any user or attacker who has access to it. This can lead to unauthorized access to sensitive information, as the user or attacker can bypass authentication and gain access to the application or system without a valid username and password.

We are processing your report and will contact the answerdev/answer team within 24 hours. 3 months ago
We have contacted a member of the answerdev/answer team and are waiting to hear back 3 months ago
joyqi validated this vulnerability 2 months ago
Juan Pablo Lopez Yacubian has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
joyqi marked this as fixed in 1.0.6 with commit cd742b 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
joyqi published this vulnerability 2 months ago
to join this conversation