🚨 AppAuth-iOS 2.0.0 Vulnerability Report for Google SignIn Team #549
Description
🚨 AppAuth-iOS 2.0.0 Vulnerability Report for Google SignIn Team
Affected Dependency Chain
GoogleSignIn-iOS v9.0.0
└── GTMAppAuth v5.0.0
└── AppAuth-iOS v2.0.0
Current Security Vulnerabilities
- CVE-2007-1652 (CVSS: 7.5 - HIGH) 🚨 ACTIVE
- Severity: HIGH (CVSS 2.0: 7.5)
- Attack Vector: Network
- Authentication: None required
- Impact: Partial confidentiality, integrity, and availability
- Exploitability Score: 10.0 (maximum)
- CWE: NVD-CWE-Other
- Description: OpenID allows remote attackers to forcibly log a user into an OpenID enabled site, divulge the user's personal information to this site, and add the site to the trusted sites list via a crafted web page, related to cached tokens
- Vulnerable Software: cpe:2.3:a:openid:openid::::::::
- CVE-2007-1651 (CVSS: 6.8 - MEDIUM) 🚨 ACTIVE
- Severity: MEDIUM (CVSS 2.0: 6.8)
- Attack Vector: Network (requires user interaction)
- Authentication: None required
- Impact: Partial confidentiality, integrity, and availability
- Exploitability Score: 8.6
- CWE: NVD-CWE-Other
- Description: Cross-site request forgery (CSRF) vulnerability in OpenID allows remote attackers to restore the login session of a user on an OpenID enabled site via unspecified vectors related to an arbitrary remote web site and cached tokens, after the user has signed into an OpenID server, logged into the OpenID enabled site, and then logged out of the OpenID enabled site
- Vulnerable Software: cpe:2.3:a:openid:openid::::::::
Vulnerability Details & References
CVE-2007-1652 References:
- OpenID Security Mailing List: http://openid.net/pipermail/security/2007-March/
- Janrain Security Fix: http://janrain.com/blog/2007/03/22/myopenid-security-fix/
- OSVDB: http://osvdb.org/43601
CVE-2007-1651 References:
- OpenID Security Mailing List: http://openid.net/pipermail/security/2007-March/
- OSVDB: http://osvdb.org/43600
Historical Context & Attack Scenarios
Both vulnerabilities stem from 2007 OpenID specification issues related to:
- Token caching mechanisms
- Session state management
- CSRF protection weaknesses
Potential Attack Scenarios:
- Forced Login: Attacker can force users to log into sites without consent
- Information Disclosure: Personal information can be divulged to malicious sites
- Session Hijacking: Login sessions can be restored after logout
- Site Trust Manipulation: Malicious sites can be added to trusted site lists
Risk Assessment
- Current Risk: HIGH - Two active OpenID vulnerabilities in authentication flow
- Exploitability: High (network-based, no authentication required)
- Impact: Authentication bypass, information disclosure, session manipulation
- Affected Users: All iOS apps using GoogleSignIn-iOS v9.0.0
Recommendations
- Urgent: Update AppAuth-iOS to latest version (2.0.5+ recommended)
- Verify: Ensure the new version addresses these 2007 OpenID vulnerabilities
- Testing: Validate OAuth flows after dependency updates
- Release: Consider GoogleSignIn-iOS patch release with updated AppAuth-iOS
Scan Details
- Scan Date: 2025-08-27 15:28:24 UTC
- OWASP Dependency-Check: v12.1.3
- Detection Confidence: HIGH
- Package URL: pkg:swift/appauth-ios@2.0.0
- Repository: https://github.com/openid/AppAuth-iOS.git
Note: These are legacy OpenID vulnerabilities from 2007 that should have been addressed in modern OAuth 2.0/OIDC implementations. The fact they're still flagged in AppAuth-iOS 2.0.0 suggests either false positives or unresolved legacy code paths.