Reported High Severity Bug in Google’s OAuth Client Library for Java

Last month, Google patched a very serious flaw in its OAuth client library for Java that could be exploited by a malicious actor with a compromised token to deploy arbitrary payloads.

Tracked as CVE-2021-22573The vulnerability is rated 8.7 out of 10 for severity and relates to an authentication bypass in the library that stems from improper cryptographic signature verification.

Credited with discovering and reporting the flaw on March 12 is Tamjid Al Rahat, a fourth-year Ph.D. computer science student at the University of Virginia, who received $5,000 through Google’s bug bounty program.

“The vulnerability is that the IDToken verifier does not check if the token is properly signed,” said an advisory for the flaw reads.

“Signature verification ensures that the token payload is from a valid provider, not someone else. An attacker can provide a compromised token with a custom payload. The token will pass client-side validation.”

The open-source Java library built on top of the Google HTTP Client Library for Java allows obtaining access tokens to any service on the web that supports the OAuth authorization standard.

cyber security

Google, in its README file for the project on GitHub, notes that the library is supported in maintenance mode and only fixes necessary bugs, indicating the severity of the vulnerability.

Users of the google-oauth-java-client library are recommended to update to version 1.33.3 released on April 13, to mitigate any potential risk.

Leave a Comment