Comments (7)
SurferJeffAtGoogle
commented on May 5, 2024
Hi Seong-Joong. Thank you for reporting this issue. The code fix looks good too.
I would like to try to reproduce the issue. Is there a simple way to reproduce it?
from google-api-cpp-client.
sungjungk
commented on May 5, 2024
Thank you for your prompt reply.
In my PoC, ‘set_default_scopes’ function is called with ‘profile/email’ parameters as follows;
std::unique_ptr<OAuth2ServiceAccountFlow> flow_;
flow_->set_default_scopes(“profile email”);
After I received a token, it contains ID token in forms of JWT.
Currently, it occurred about type handling issue of ‘exp’ in JWT.
from google-api-cpp-client.
sungjungk
commented on May 5, 2024
Hi all,
In addition to the above reproducible case, it happens when either 'profile' or 'email' is specified on 'set_default_scopes' function.
After the execution, authentication server returns 'ID token' in forms of JWT (JSON Web Token), that contains an 'exp' element as integers, not a string (see RFC7519).
Before applying this patch, it cannot parse the 'exp' element in JWT properly.
Please check again.
Many thanks!!
from google-api-cpp-client.
sungjungk
commented on May 5, 2024
@SurferJeffAtGoogle
What do you think of it as security issue?
I think that it can be used for denial of service attack.
Description
An exploitable unhandled exception vulnerability exists during Google Sign-In with ‘google-api-cpp-client’.
On an OAuth2.0 client, ID token handling can cause an unhandled exception resulting in denial of service.
Once a 3rd party service uses Google Sign-in with ‘google-api-cpp-client’, a malicious user can trigger this vulnerability by requesting the client to receive the user’s ID token from an Google's authentication server.
Attack vector
If a 3rd party service uses Google Sign-In with an app or site via ‘google-api-cpp-client’, malicious user can make Google’s authentication server send the user’s ID token to the client on 3rd party.
During type handling in ID token, it can cause an unhandled exception resulting in denial of service on 3rd party service.
After then other users can no longer login/sign-in to the 3rd party service.
Vulnerability type
CWE-754: Improper Check for Unusual or Exceptional Conditions
Sincerely,
from google-api-cpp-client.
aiuto
commented on May 5, 2024
*From: *Seong-Joong Kim <[email protected]>
*Date: *Mon, May 6, 2019 at 10:31 PM
*To: *google/google-api-cpp-client
*Cc: *Subscribed
@SurferJeffAtGoogle <https://github.com/SurferJeffAtGoogle>
What do you think of it as security issue?
I think that it can be used for denial of service attack.
*Description*
An exploitable unhandled exception vulnerability exists during Google
Sign-In with ‘google-api-cpp-client’.
On an OAuth2.0 client, ID token handling can cause an unhandled exception
resulting in denial of service.
Once a 3rd party service uses Google Sign-in with ‘google-api-cpp-client’,
a malicious user can trigger this vulnerability by requesting the client to
receive the user’s ID token from an Google's authentication server.
If the user can retrieve tokens for themselves, that is a less severe
problem. Any application or web page can be exploited by the user to expose
their own authentication tokens. An exploit would allow one to retrieve the
tokens for an arbitrary other user.
*Attack vector*
If a 3rd party service uses Google Sign-In with an app or site via
‘google-api-cpp-client’, malicious user can make Google’s authentication
server send the user’s ID token to the client on 3rd party.
Do you have an example exploit?
During type handling in ID token, it can cause an unhandled exception
resulting in denial of service on 3rd party service.
After then other users can no longer login/sign-in to the 3rd party
service.
This library has no exception handling, so that is sort of a moot point. If
it crashes, that is fine. If a service wants to
enable exceptions, it could, but it should wrap calls to the library.
*Vulnerability type*
… CWE-754: Improper Check for Unusual or Exceptional Conditions
Sincerely,
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#57 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAXHHHDAPGB2LNICXWBRVJTPUDSWLANCNFSM4FO5WXDQ>
.
from google-api-cpp-client.
sungjungk
commented on May 5, 2024
Thank you for your reply.
I am not talking about flaws of token exposure.
Instead, I just mentioned that above wrong type handling causes an unhandled exception, resulting in denial of service on 3rd party application with Google Sign-In service.
Similarly, there exist several vulnerabilities related to wrong type handling in client libraries.
They mishandled or unhandled certain exceptions, leading to a denial of service in applications that use these libraries.
: CVE-2017-12119, CVE-2018-12680, CVE-2019-9628, etc.
from google-api-cpp-client.
tmatsuo
commented on May 5, 2024
Thanks for filing the issue, but we deprecated this repository, so closing.
from google-api-cpp-client.
Related Issues (20)
- Can't build: struct mg_callbacks callbacks_; isn't defined HOT 3
- Calendar sample program does not work well, HOT 1
- Mac build fails if space in path HOT 1
- Support for account default credentials HOT 1
- Update prepare_dependencies.py download paths HOT 3
- Please provide some examples.
- glog-0.3.3.tar.gz into glog-0.3.3
- Mismatch between functions that take StringPieces and functions that take strings causes runtime errors. HOT 1
- Failure Building Clients for Other APIs HOT 2
- Retry when Status Code 403 Forbidden HOT 1
- First upload to GCS always times out HOT 3
- undefined reference to `googleapis::client::New .... HOT 1
- Latest downloaded generated bigquery code is incompatible with latest framework code HOT 1
- does this work on windows? HOT 1
- Incompatible dependencies when linking HOT 2
- HAVE_UGO_PERMISSIONS and HAVE_FSTAT64 always fail HOT 1
- Tons of depreciation warnings during compile HOT 1
- More samples needed HOT 2
- std::cout missing #include <iostream> HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from google-api-cpp-client.