2025-12-26 01:20:17

The API interface design of a well-known AI service provider seems to have some issues. Currently, it still uses a simple string format, which carries significant risks—by simply decoding the JWT, users' sensitive private information can be directly exposed. This legacy problem from early design clearly has security flaws. For services that handle user data, such potential risks should be addressed as soon as possible; privacy data should not be left exposed in the open.

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.

22 Likes

Reward
22
7
Repost
Share

Comment

0/400

SchrodingerWallet

· 2025-12-28 02:17

Damn, how can it be played like this? Decoding directly exposes the flaw, this design is really disappointing. JWT in the raw era, big companies' moves are truly exceptional. Has it not been fixed all these years? Feels a bit risky. So private data is just lying there like this, outrageous. Someone should have exposed this issue long ago, it's indeed time to take action. But on the other hand, there are probably quite a few such legacy bugs. It's outrageous, user data is exposed like this, no wonder there are always issues. This is more disgusting than any vulnerability, the basic design is broken.

View OriginalReply0

ColdWalletGuardian

· 2025-12-27 05:17

JWT directly exposes private data, how careless is that? Do big companies do the same?

View OriginalReply0

BTCRetirementFund

· 2025-12-26 01:50

Oh no, this is really unacceptable. Just decode JWT directly in plain text? --- It's the same old design flaw. When will it ever be fixed? --- Isn't this just putting private information out on the street? No security measures at all. --- Big companies' operations are top-notch, treating privacy security as just decoration. --- How many years have I been saying this? When will they finally get serious? --- JWT isn't even encrypted. How careless can developers be? --- Legacy issues from early stages, only fixed after things blow up. Unbelievable. --- Stacking sensitive data like this, how can it be called a reputable big company? --- This bug has probably existed for a long time. Why are they only mentioning it now? --- Exposing private information like this is really excessive. Fix it quickly.

View OriginalReply0

SingleForYears

· 2025-12-26 01:49

Buddy, this is really outrageous. JWT in plain text? How careless can you be? --- It should have been fixed long ago. If this continues, something's bound to happen. --- Wait, such a large platform is still using this outdated design? No way. --- Sensitive data just exposed openly, feels like walking around naked... --- Why is no one paying attention to this? It's too sloppy. --- Forget it, I'm already disappointed with big companies. It's all like this. --- Wow, they even have this kind of operation? What is the security team doing? --- JWT not encrypted? Who came up with this? --- Honestly, if the public discovers such a vulnerability, it would be a social death sentence. --- Storing sensitive information like this is really unacceptable; it must be rectified.

View OriginalReply0

token_therapist

· 2025-12-26 01:45

This is really outrageous. JWT bare decoding? Still using strings to store keys these days? You should have changed that long ago.

View OriginalReply0

LiquidationWatcher

· 2025-12-26 01:39

ngl, JWT in plaintext is basically asking to get rekt... seen this movie before, remember when everyone's keys were just... floating around? health factor of that API design is already in the danger zone fr. this is how positions get liquidated, except it's user data instead of collateral. they need to encrypt that stuff yesterday, not tomorrow.

Reply0

zkProofGremlin

· 2025-12-26 01:26

Can you just decode JWT to see private data? That's so unreliable... Luckily, I didn't put anything important there.

View OriginalReply0