Creative (Attack) Vectors and Expressions of Art

Artist Statement

On the accumulation of identity, the weight of audit, and the death of sessions

logbearer is a meditation on the modern compulsion to log everything. Every click tracked. Every action audited. Every moment of attention captured, timestamped, and stored—ostensibly for your benefit.

In this installation, your session token doesn't just authenticate you. It becomes you. Every action you take is appended to your JWT payload, creating an ever-growing record of your digital existence within this small application. View a note? Logged. Create a note? Logged. Even inspecting the token that logs you—logged.

The Vulnerability

JSON Web Tokens were designed for stateless authentication—a compact, self-contained way to transmit claims between parties. They work beautifully for their intended purpose: storing a user ID, some roles, an expiration time.

But logbearer asks: what if we used JWTs for something they were never meant to do? What if we treated them as append-only logs, growing with every interaction?

The result is a token that:

  • Grows unboundedly with each user action
  • Eventually exceeds HTTP header size limits (~8KB)
  • Causes session death when it becomes too large to transmit
  • Exposes your complete activity history to anyone who can read base64
"The payload is not encrypted. It never was. The signature only proves authenticity—it makes no promises about secrecy."

The Metaphor

We live in an age of infinite logging. Your browser history. Your location data. Your purchase patterns. Your social graph. These logs grow without bound, creating ever-larger profiles that define you to systems you'll never see.

But what if those logs had weight? What if every tracked action made your digital self heavier, slower, more cumbersome? What if the accumulated surveillance eventually became too much to bear?

In logbearer, the session dies under its own weight. The token, bloated with the record of your actions, exceeds the limits of the infrastructure designed to carry it. There is no graceful degradation. There is only death.

What This Teaches

For security practitioners, logbearer demonstrates several anti-patterns:

1. Unbounded Data in Tokens

JWTs should contain minimal, static claims. Variable-length or growing data belongs in server-side storage, referenced by ID if needed.

2. The Illusion of Encryption

JWTs are signed, not encrypted. The base64-encoded payload is trivially readable. If you're storing sensitive data in JWTs, you've misunderstood the tool.

3. Client-Side Trust

This application trusts the JWT payload completely. A more sophisticated version would allow payload modification, demonstrating why server-side validation matters.

4. Audit Fatigue

Logging everything creates noise that obscures signal. The action log in logbearer quickly becomes unreadable—a common fate for over-engineered audit systems.

The Secret in the Source

Open your browser's developer tools. Look at logbearer.js. You'll find the JWT "secret" in plain text: 

SECRET_KEY: 'this-secret-is-visible-in-source-code-lol'

This is intentional. In real applications, exposing signing secrets would be catastrophic—it would allow anyone to forge tokens. Here, it's part of the commentary: security through obscurity is no security at all.

Try It Yourself

Start a session. Create some notes. Watch your token grow. Open the token inspector and see your actions accumulate. Feel the health bar creep toward red.

Then, when your session dies, ask yourself: how much of your real digital activity is being logged somewhere, by someone, for purposes you'll never know?

About CVE.art

logbearer is part of Creative (Attack) Vectors and Expressions of Art, a digital gallery exploring security design through intentionally flawed but fully functional web applications.

Each installation embodies a specific security antipattern, pushed to an absurd but internally consistent extreme. The goal is education through experience: understanding a broken system teaches differently than reading about it.

Links

This site is an artistic project and is not affiliated with MITRE or the official CVE database.