Google addressed a serious flaw in the OAuth client library Java last month. This could have been exploited by a malicious actor using a compromised token to launch arbitrary payloads.
Tracked as CVE-2021-22573, the vulnerability is rated 8. 7 out of 10 for severity and relates to an authentication bypass in the library that stems from an improper verification of the cryptographic signature.
Credited with discovering and reporting the flaw on March 12 is Tamjid Al Rahat, a fourth-year Ph.D. student of Computer Science at the University of Virginia, who has been awarded $5,000 as part of Google’s bug bounty program.
“The vulnerability is that the IDToken verifier does not verify if the token is properly signed,” an advisory for the flaw reads.
“Signature verifies that the token’s payment comes from a legitimate provider and not someone else. A hacker can compromise a token and provide custom payload. It will be validated on client’s side. “
The Java open-source Java library based on the Google HTTP client Library for Java , allows you to get access tokens for any web service that is compliant with the OAuth authorization standard.
Google, in its README file for the project on GitHub, notes that the library is supported in maintenance mode and that it’s only fixing necessary bugs, indicative of the severity of the vulnerability.
Users of the google-oauth-java-client library are recommended to update to version 1.33. 3, released on April 13, to mitigate any potential risk.