Last month Google patched a severe flaw in its OAuth client library for Java; the actors can exploit the flaw by using a compromised token to plant arbitrary payloads.
The flaw, tracked CVE-2021-22573 and rated 8.7 out of 10 on the severity scale, is linked to an authentication bypass in the library which originates from an improper verification of the cryptographic signature.
Tamjid Al Rahat, a fourth-year PhD student of Computer Science at the University of Virginia, reported the flaw on March 12 and Google has awarded $5000 as part of Google’s bug bounty program.
“The vulnerability is that the IDToken verifier does not verify if the token is properly signed,” an advisory for the flaw reads.
“Signature verification makes sure that the token’s payload comes from a valid provider, not from someone else. An attacker can provide a compromised token with a custom payload. The token will pass the validation on the client side.”
The open-source Java library has Google HTTP Client Library for Java underneath that allows it to access tokens to any service which supports the OAuth authorization standard.
Google, in its README file for the project on GitHub, notes that the library is supported in maintenance mode and that it’s only fixing necessary bugs, indicative of the severity of the vulnerability.
Users of the google-oauth-java-client library are recommended to update to version 1.33.3, released on April 13, to mitigate any potential risk.