CVE-2021-22573 is a vulnerability in Google’s OAuth client for Java, with a severity score of 8.7 out of 10 on the CVSS scale.
What Causes the CVE-2021-22573 Vulnerability?
The vulnerability stems from the fact that “IDToken verifier does not verify if token is properly signed,” according to the security advisory. Signature verification is needed so that it is known that the token’s payload comes from a valid provider.
“An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above,” the advisory added. The issue was discovered and reported on March 12 by Tamjid Al Rahat, a Ph.D. student of Computer Science at the University of Virginia. He has been awarded $5,000 for disclosing the flaw, according to Google’s bug bounty program.
Earlier this month, a phishing attack leveraging Google’s SMTP relay service was detected delivering phishing emails to users. The attack was observed by Avanan security researchers.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: