Apps using ZAF JWTs vulnerable to privilege escalations

[BenoitRanque]

JWTs are a mechanism for delegating auth to a trusted third party.
The server consuming the tokens validates the signature, and from this can validate that the token is authentic, and that the claims have not been altered.

ZAF JWTs are fundamentally unsound in design, and in practice no better than hardcoding the JWT secret in the client application.

The ZAF server will happily sign any claims it receives. It performs no validations, which makes this an easily exploited vulnerability.
This does not affect Zendesk APIs directly, but any third party service that is being consumed via the ZAF using ZAF JWTs

JWTs signed by ZAF do guarantee the request was sent from the app.
However, servers cannot trust the claims.

I tried to report this responsibly via the bounty hunting program, which seemed to be the official route for these disclosures.
Today I was told this is a non-issue, because it does not affect Zendesk APIs, and third parties should be verifying auth anyways...

If you are using ZAF JWTs in your app, you must stop immediately. This is a glaring security hole and may already be actively exploited.

[BenoitRanque]

Update: It seems the design intention was for this feature to be used when rendering an app by making requests to a known server. That server can use the JWT to verify that the request came from Zendesk, and not some third party host.

While this sheds some light on the thought process behind this design decision, I stand by my claims above, namely that the API is unsound in design and irresponsibly documented. The documentation for ZAF JWTs could easily lead junior developers into introducing security vulnerabilities into their applications. At a minimum, this documentation should be explicit about what cannot be guaranteed by these JWTs