CSRF Flaw Patched in Popular Spring Social Core Library

Spring Social, a popular Java library used for social authentication, patched a risky cross-site request forgery vulnerability.

A nasty cross-site request forgery vulnerability was patched Thursday in the Spring Social core library, one of the most pervasive Java application libraries.

Spring Social facilitates social authentication between applications and online services, and the vulnerability allowed attackers to bypass authentication checks, impersonate users and take over social media or other online accounts.

Pivotal Software updated the library Thursday, after it was privately disclosed by researchers at startup SourceClear, which yesterday disclosed details on the flaw.

SourceClear CEO Mark Curphey said this vulnerability is symptomatic of a bigger issue with reusable code libraries that are pulled into sundry applications. Software development has undergone a shift in the last decade from building custom code to snapping together open source and freely available libraries, most of which require manual updates.

“Historically, patching falls between the cracks,” Curphey said. “Developers have got a million things on their minds and adding something that might break things when they’re shipping features or dealing with performance is a tough sell sometimes.”

SourceClear said that all current version of Spring Social, 1.00 to 1.1.2, are vulnerable and must be updated. SourceClear’s Paul Ambrosini and Include Security’s Kris Bosch discovered the flaw, which is a failed CSRF check, specifically the checking of a state parameter during the OAuth2 connection flow, SourceClear said.

An attacker could exploit this flaw by initiating a social login request with a vulnerable site to generate a URL, Spring Social said. That URL could be sent directly to another user via social media, for example, and when it’s clicked, the URL associates the attacker’s account with the user’s login.

“An attacker embeds a URL into a page; the attack abuses the trust that a browser has in a website,” Ambrosini said. “When a victim visits a site, the browser will attempt to access that URL. Because their browser is logged in to the website the attacker going after, the website will do the code exchange and associate the fake account with the real account.”

At that point, the attacker can take advantage of social authentication to log into the website, he said.

Complicating the matter is the fact that when vulnerable code is pulled from sharing sites such as Github, a footprint is left behind as to who is sharing the code, which can be followed by the attacker to find additional vulnerable deployments.

“What we’re seeing is attackers using that footprint to attack others,” Curphey said.

Suggested articles