OAuth Token Bypass Vulnerability in Google Play Services SDK
CVE-2014-7922

Currently unrated

Key Information:

Vendor: Google
Status: Play Services Sdk
Vendor: CVE Published:; 23 February 2015

What is CVE-2014-7922?

A security flaw in the Google Play Services SDK allows malicious applications to exploit the GoogleAuthUtil.getToken method. By manipulating parameters in OAuth token requests via the Bundle extras, attackers can bypass consent dialogs, granting them unauthorized access to sensitive OAuth scopes, including the SID and LSID scopes. This exploitation could lead to unauthorized access to a user’s Google account and sensitive information.

References

https://gist.github.com/isciurus/df4d7edd9c3efb4a0753

x_refsource_MISC

http://isciurus.blogspot.com/2015/01/android-app-with-ful...

x_refsource_MISC

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 23, 2015
Vulnerability Reserved
Oct 6, 2014