The Hacker News reports that a high-severity vulnerability in Google's OAuth client library for Java has been fixed last month.
Attackers with compromised tokens could exploit the flaw, tracked as CVE-2021-22573, to facilitate arbitrary payload deployment, according to the flaw advisory.
"The vulnerability is that the IDToken verifier does not verify if the token is properly signed. Signature verification makes sure that the token's payload comes from a valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side," said the advisory.
Google noted that only necessary vulnerabilities within the library, which has been placed in maintenance mode, will be addressed. Meanwhile, users have been urged to implement version 1.33.3 of the library to prevent compromise.
University of Virginia student Tamjid Al Rahat has been recognized for identifying and reporting the vulnerability, for which he was given a $5,000 reward under Google's bug bounty program.