14 DAY TRIAL // A bug in the Spring Social Java library allows attackers to gain access to a victim's private account on websites with social sign-in (SSI) enabled, using the attacker's social account credentials.
Spring Social is one of Java's most used social sign-in library, acting like a generic wrapper for OAuth2 operations and allowing developers to add a social login feature to their applications that covers a wide range of social services out of the box.
The vulnerability went undetected for the past two years
According to SourceClear researchers, websites that have deployed Spring Social from versions 1.0.0.M4 to 1.1.2, have a vulnerability (CVE-2015-5258) that can grant attackers access to user accounts, but only if the user is fooled into clicking a malformed link.
The Spring Social vulnerability manifests itself when an attacker clicks on a social login button. This action generates a unique URL that's attached to the attacker's social media account (for which the button was clicked).
If the attacker takes this link and adds it to a phishing email, an ad, a full-page overlay or any other place where a user can click on it, this causes problems because when this happens, the victim's website account is tied to the attacker's social media account.
This allows the attacker to access the victim's website account, but by entering his own social account username and password.
A fix for Spring Social is already out
SourceClear notified Spring Social's maintainers, who released version 1.1.3 on the Maven Central (not yet on GitHub) to fix this issue.
Ironically, the bug was caused by the "state" parameter used by the OAuth2 connection, parameter that was added to protect against CSRF attacks, which the aforementioned described vulnerability is.
A more in-depth blog post about this bug with a technical teardown is available on SourceClear's website.