CVE-2020-28637 - more details?

[attritionorg]

Following up from Twitter, hoping to get more details on CVE-2020-28637. Thanks! (tag @ticarpi)

[ticarpi]

There's been a hold up in publication, so I can't reveal the vulnerable application. For now I can say that the exploit is an alternative signing method for JWTs signed with a Private Key, where symmetric signing is enabled by default, but the secret is not set. So in practice you can sign new JWTs with a blank secret and forge your own tokens.