A serious cross-site request forgery vulnerability in a widely used Java application library was patched last week. Developers who use Java Spring Social core library in their projects are strongly urged to update as soon as possible.Attackers are able to take over a user’s account by exploiting a CSRF-style flaw against the Spring Social authentication feature, according to the technical analysis posted on SourceClear’s site. The Java Spring Social core library provides Java bindings to service provider APIs from sites such as GitHub, Facebook, LinkedIn, and Twitter. The library lets developers add a social login feature (“Login with GitHub,” for example) to their applications and handles the connections with OAuth2 providers. Attackers who successfully exploit the flaw can use victims’ social credentials to log in to their accounts on the vulnerable site.
The issue was first discovered by Kris Bosch of Include Security, but Paul Ambrosini, SourceClear’s co-founder, identified the failed CSRF check in the Spring Social code. SourceClear privately disclosed the vulnerability (CVE-2015-5258) to Pivotal Software, the developer behind the Spring Social core library, and Pivotal last week released the fix on Maven Central as part of version 1.1.3.
