pii-in-jwt-tokens

In the analyzed application, the JSON Web Token (JWT) stored in local storage contains a large amount of Personally Identifiable Information (PII), including the user’s full name, address, date of birth, mobile number, email address, Aadhar ID, PAN card number, account number, account balance, and other financial details. This violates a fundamental principle of secure token design: JWTs should contain only essential claims required for session validation or authorization, not sensitive user data.

The inclusion of PII within the JWT is especially concerning because JWTs are typically stored client-side and transmitted with each authenticated request. This increases the exposure surface. If the JWT is ever compromised — through cross-site scripting (XSS), insecure transport, or browser extensions — the attacker would gain immediate access to highly sensitive identity and financial information without needing to query the backend or elevate privileges. Unlike server-side session variables, client-side JWTs cannot be redacted or hidden from the user or other JavaScript code running in the browser.

Moreover, JWTs are base64-encoded, not encrypted. This means any observer with access to the token (e.g., via browser dev tools or logs) can trivially decode and view the full payload using online tools or a simple script. The mere presence of PII in this format is a data privacy violation under most regulatory frameworks such as GDPR, India’s DPDP Act, or even common banking security guidelines.

This design decision effectively turns each token into a portable identity document, vulnerable to theft and misuse. The better approach would be to store only a unique user identifier (e.g., sub) and a few non-sensitive claims (e.g., exp, iat), while all sensitive data should remain server-side and retrieved only via authenticated, controlled API calls. This minimizes risk, limits exposure, and aligns with modern security best practices.

Sample JWT Decoded Payload:

{
  "acctNo": "076844001854",
  "acctBalance": "384377.22",
  "incomeTaxNumber": "0260245742",
  "acctOpeningDate": "2025-07-06 00:00:00",
  "currency": "INR",
  "fname": "aaaaa",
  "lname": "aaaaa",
  "address": "1, aa, aaa",
  "dob": "2008-06-29",
  "mobileNo": "1111111111",
  "email": "aaa@mail.com",
  "aadharId": "001616570010",
  "panCardId": "6018955884",
  "walletId": "8809093793",
  "gender": "2",
  "countryId": "IND",
  "exp": 1752497871
}

This is a High severity issue (CVSS ~7.0) due to sensitive personal and financial data exposure risk through client-side tokens.

As a remedy, we should:

• Limit JWT payloads to minimal necessary claims such as user ID (sub), expiration (exp), and issued-at (iat).
• Store all sensitive user information securely on the server and provide it via authenticated API calls only.
• Consider encrypting tokens if sensitive data must be included.
• Also, enforce secure transmission (HTTPS) and protect against XSS to reduce token theft risk.