The GoogleAuthUtil.getToken method in the Google Play services SDK before 2015 sets parameters in OAuth token requests upon finding a corresponding _opt_ parameter in the Bundle extras argument, which allows attackers to bypass an intended consent dialog and retrieve tokens for arbitrary OAuth scopes including the SID and LSID scopes, and consequently obtain access to a Google account, via a crafted application, as demonstrated by setting the has_permission=1 parameter value upon finding _opt_has_permission in that argument.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: Chrome
Published: 2015-02-23T02:00:00
Updated: 2024-08-06T13:03:27.677Z
Reserved: 2014-10-06T00:00:00
Link: CVE-2014-7922
Vulnrichment
No data.
NVD
Status : Modified
Published: 2015-02-23T02:59:00.057
Modified: 2023-11-07T02:21:54.023
Link: CVE-2014-7922
Redhat
No data.