Sept. 19, 2023, 7 p.m. | Evan Grant

Tenable Research Advisories

Authentication Bypass in D-Link D-View 8

A researcher at Tenable discovered an authentication bypass vulnerability in D-Link D-View 8 v2.0.1.28.

D-View 8 uses a static key (D-Link) to protect the JWT token used in user authentication:

// webApi-0.0.1-SNAPSHOT.jar!com.dlink.dview8.webapi.utils.TokenUtils

  public static String verifyToken(String token) {
    if (Utils.isEmpty(token))
      return null; 
    Algorithm algorithm = Algorithm.HMAC256("D-Link");
    JWTVerifier verifier = JWT.require(algorithm).build();
    DecodedJWT jwt = verifier.verify(token);
    return jwt.getClaim("userId").asString();

D-View 8 supports login with an API key, but the supplied API key in the JWT token …

algorithm authentication authentication bypass bypass bypass vulnerability d-link dlink jar jwt jwt token key link protect public researcher return snapshot tenable token vulnerability

Business Information Security Officer

@ Metrolink | Los Angeles, CA

Senior Security Engineer

@ Freedom of the Press Foundation | Remote, 4 hour time zone overlap with New York City

Security Engineer

@ ChartMogul | Remote, EU

Sr. Network Security Engineer - Fortinet (North Florida)

@ DGR Systems LLC | Jacksonville, Florida, United States

Product Security Engineer

@ Tide | United Kingdom, Remote

Security Operations Engineer

@ Scale AI | San Francisco, CA