Serious bug in widely used Java app library patched

The CSRF-style bug in Java Spring Social core library affected websites that allowed users to log in with credentials from LinkedIn, Twitter, GitHub, and Facebook, among others

A serious cross-site request forgery vulnerability in a widely used Java application library was patched last week. Developers who use Java Spring Social core library in their projects are strongly urged to update as soon as possible.

Attackers are able to take over a user's account by exploiting a CSRF-style flaw against the Spring Social authentication feature, according to the technical analysis posted on SourceClear's site. The Java Spring Social core library provides Java bindings to service provider APIs from sites such as GitHub, Facebook, LinkedIn, and Twitter. The library lets developers add a social login feature ("Login with GitHub," for example) to their applications and handles the connections with OAuth2 providers. Attackers who successfully exploit the flaw can use victims' social credentials to log in to their accounts on the vulnerable site.

Copyright © 2015 IDG Communications, Inc.

How to choose a low-code development platform