Google last month addressed a high-severity flaw in its OAuth
client library for Java that could be abused by a malicious actor
with a compromised token to deploy arbitrary payloads.
Tracked as CVE-2021-22573, the vulnerability is
rated 8.7 out of 10 for severity and relates to an authentication
bypass in the library that stems from an improper verification of
the cryptographic signature.
Credited with discovering and reporting the flaw on March 12 is
Tamjid Al Rahat[1], a fourth-year Ph.D.
student of Computer Science at the University of Virginia, who has
been awarded $5,000 as part of Google’s bug bounty program.
“The vulnerability is that the IDToken verifier does not verify
if the token is properly signed,” an advisory[2]
for the flaw reads.
“Signature verification makes sure that the token’s payload
comes from a valid provider, not from someone else. An attacker can
provide a compromised token with custom payload. The token will
pass the validation on the client side.”
The open-source Java library[3], built on the Google HTTP Client Library for
Java[4], makes it possible to
obtain access tokens to any service on the web that supports the
OAuth authorization standard.
Google, in its README file[5]
for the project on GitHub, notes that the library is supported in
maintenance mode and that it’s only fixing necessary bugs,
indicative of the severity of the vulnerability.
Users of the google-oauth-java-client library are recommended to
update to version 1.33.3[6], released on April 13,
to mitigate any potential risk.
References
- ^
Tamjid
Al Rahat (sites.google.com) - ^
advisory
(nvd.nist.gov) - ^
Java
library (developers.google.com) - ^
Google
HTTP Client Library for Java
(googleapis.github.io) - ^
README
file (github.com) - ^
version
1.33.3 (github.com)
Read more https://thehackernews.com/2022/05/high-severity-bug-reported-in-googles.html