Yuta Yamate

**Name of the Vulnerable Software and Affected Versions** OfferBox App for Android versions 2.0.0 through 2.3.17 OfferBox App for iOS versions 2.1.7 through 2.6.14 **Description** The 'OfferBox' App for Android and iOS uses a hard-coded secret key for JWT. This secret key may be retrieved if the application binary is reverse-engineered. **Recommendations** For OfferBox App for Android versions 2.0.0 through 2.3.17, consider disabling the JWT authentication mechanism until a patch is available. For OfferBox App for iOS versions 2.1.7 through 2.6.14, restrict access to sensitive features that rely on the hard-coded secret key for JWT until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.