PoC — isCancelAction JWT Signature Bypass

Defect: keylessWallet.service.ts:233 — when isCancelAction=true, server skips JWT signature verification and accepts forged tokens.
Target: POST /prime/v1/keyless-wallet/updatePinConfirmStatus

1
Capture target Google sub
Sign in with Google to retrieve the OAuth sub identifier.
sub and iss auto-filled below
2
Build forged JWT
A token with an invalid signature is accepted by the server when isCancelAction=true.
Forged JWT  signature = INVALIDSIGNATURE
forged token used in request below
3
Send unauthenticated write request
Server should reject this token. If it returns ok: true, the defect is confirmed.
Request body
Equivalent curl
Server response  
Defect — keylessWallet.service.ts:231 
const keylessWalletId = await this.getKeylessWalletIdFromToken(
  params.token,
  { validate: !params.isCancelAction }  // validate=false when isCancelAction=true
);

// supabase.service.ts:76
parseToken(token: string) {
  const payload = token.split('.')[1];  // base64 decode only — no signature check
  return this.decodePayload(payload);
}