Google very last month addressed a superior-severity flaw in its OAuth client library for Java that could be abused by a malicious actor with a compromised token to deploy arbitrary payloads.
Tracked as CVE-2021-22573, the vulnerability is rated 8.7 out of 10 for severity and relates to an authentication bypass in the library that stems from an improper verification of the cryptographic signature.
Credited with getting and reporting the flaw on March 12 is Tamjid Al Rahat, a fourth-yr Ph.D. scholar of Laptop or computer Science at the College of Virginia, who has been awarded $5,000 as element of Google’s bug bounty plan.
“The vulnerability is that the IDToken verifier does not verify if the token is properly signed,” an advisory for the flaw reads.
“Signature verification makes guaranteed that the token’s payload comes from a legitimate company, not from an individual else. An attacker can deliver a compromised token with custom made payload. The token will move the validation on the client side.”
The open up-source Java library, constructed on the Google HTTP Shopper Library for Java, can make it probable to get hold of accessibility tokens to any support on the web that supports the OAuth authorization regular.
Google, in its README file for the task on GitHub, notes that the library is supported in maintenance method and that it truly is only repairing essential bugs, indicative of the severity of the vulnerability.
Users of the google-oauth-java-client library are recommended to update to edition 1.33.3, launched on April 13, to mitigate any prospective risk.
Located this short article attention-grabbing? Comply with THN on Fb, Twitter and LinkedIn to browse extra exceptional content material we put up.
Some parts of this article are sourced from: