CVE-2020-7692 Overview
CVE-2020-7692 is an Authorization Bypass vulnerability affecting the Google OAuth Client Library for Java. PKCE (Proof Key for Code Exchange) support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource.
Critical Impact
This vulnerability allows attackers to intercept OAuth authorization codes and gain unauthorized access to protected resources by exploiting the missing PKCE implementation in native OAuth flows.
Affected Products
- Google OAuth Client Library for Java (versions before 1.31.0)
- Applications using com.google.oauth-client:google-oauth-client package
- Apache Druid (dependent library)
Discovery Timeline
- 2020-07-09 - CVE-2020-7692 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-7692
Vulnerability Analysis
This vulnerability stems from improper implementation of the OAuth 2.0 security specification for native applications. The Google OAuth Client Library for Java failed to implement PKCE (Proof Key for Code Exchange) as mandated by RFC 7636 and RFC 8252. PKCE is a critical security extension designed to protect the authorization code grant flow from interception attacks, particularly in public clients like mobile and native applications where the client secret cannot be securely stored.
Without PKCE, the OAuth flow relies solely on the authorization code for client authentication. This creates a window of opportunity where an attacker with a malicious application on the same device can intercept the authorization code through various means such as custom URI scheme hijacking, app impersonation, or malicious redirects. The impact extends to both confidentiality and integrity of protected resources, as successful exploitation grants the attacker full authorization to access and modify data on behalf of the legitimate user.
Root Cause
The root cause is the missing implementation of PKCE support in the AuthorizationCodeRequestUrl and AuthorizationCodeFlow classes. The library did not generate or validate the code_verifier and code_challenge parameters required by the PKCE specification, leaving the authorization code exchange vulnerable to interception attacks.
Attack Vector
The attack exploits the network-accessible OAuth authorization flow. An attacker positions a malicious application on the victim's device that registers the same custom URI scheme used by the legitimate OAuth client. When the user initiates an OAuth flow:
- The authorization server issues an authorization code
- The malicious app intercepts the redirect containing the authorization code
- The attacker exchanges the stolen authorization code for access tokens
- The attacker gains full access to the protected resource
This attack requires no special privileges and can be executed without user interaction once the malicious app is installed.
// Security patch adding PKCE support to AuthorizationCodeRequestUrl.java
// Source: https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824
package com.google.api.client.auth.oauth2;
+import com.google.api.client.util.Key;
+
import java.util.Collection;
import java.util.Collections;
The fix introduces PKCE support by adding the necessary imports and implementing code_challenge and code_verifier parameters in the authorization flow. A new sample module was also added to demonstrate proper PKCE implementation:
// Build configuration update adding PKCE sample
// Source: https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824
<module>google-oauth-client-java6</module>
<module>google-oauth-client-jetty</module>
<module>samples/dailymotion-cmdline-sample</module>
+ <module>samples/keycloak-pkce-cmdline-sample</module>
<!-- For deployment reasons, a deployable artifact must be the last one. -->
<module>google-oauth-client-assembly</module>
Detection Methods for CVE-2020-7692
Indicators of Compromise
- OAuth authorization codes being redeemed from unexpected IP addresses or user agents
- Multiple token exchange attempts using the same authorization code
- Unusual access patterns to protected resources following OAuth authentication
- Authorization code exchanges occurring without corresponding code_verifier parameters
Detection Strategies
- Implement dependency scanning to identify applications using com.google.oauth-client:google-oauth-client versions prior to 1.31.0
- Monitor OAuth authorization server logs for authorization codes exchanged without PKCE parameters
- Audit application dependencies using tools like OWASP Dependency-Check or Snyk
- Review OAuth flow implementations to ensure PKCE is properly configured
Monitoring Recommendations
- Enable detailed logging on OAuth authorization servers to track code_challenge parameter presence
- Monitor for anomalous token exchange patterns that may indicate authorization code theft
- Implement alerting for OAuth flows that complete without PKCE validation
- Track and inventory all applications using the affected Google OAuth client library versions
How to Mitigate CVE-2020-7692
Immediate Actions Required
- Upgrade com.google.oauth-client:google-oauth-client to version 1.31.0 or later immediately
- Audit all applications using the Google OAuth Java Client library for vulnerable versions
- Review OAuth implementations to ensure PKCE is enabled after upgrading
- Invalidate and rotate any OAuth tokens that may have been compromised
Patch Information
Google has released version 1.31.0 of the OAuth Client Library for Java which includes full PKCE support. The security patch adds code_challenge and code_verifier parameter handling to the AuthorizationCodeFlow class. The fix can be reviewed in the GitHub Commit. Additional context is available in the GitHub Issue Discussion and the Snyk Vulnerability Report.
Workarounds
- If immediate upgrade is not possible, implement server-side validation to reject OAuth flows without PKCE parameters
- Consider implementing additional authentication factors for sensitive resource access
- Use client secrets where possible as an additional layer of protection (though PKCE should still be implemented)
- Monitor for authorization code interception attempts while patching is in progress
# Maven dependency update example
# Update pom.xml to use patched version:
# <dependency>
# <groupId>com.google.oauth-client</groupId>
# <artifactId>google-oauth-client</artifactId>
# <version>1.31.0</version>
# </dependency>
# Verify current version in your project
mvn dependency:tree -Dincludes=com.google.oauth-client:google-oauth-client
# Force update to patched version
mvn versions:use-latest-versions -Dincludes=com.google.oauth-client:google-oauth-client
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
