You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
getService() or the equivalent method is public in almost all of the available samples and documentation, instead of having a trailing underscore like getService_().
This means that any user can call getService by using google.script.run in the browser console, which will return the application's OAuth Client ID and Secret (which are not supposed to be given to users!). This allows any user of an extension to impersonate that extension by using its ID/Secret.
This issue was discovered during an internal security review for an extension I was building, and unfortunately it means that anyone who has copied one of the samples here and is using it in production is currently vulnerable to having their Client ID/Secret read by any user of the extension, provided they did not change the getService method to be private.
I have a PR ready to go that fixes this issue for the samples right now, but unfortunately it won't retroactively fix it for anyone who has copied a sample.
The text was updated successfully, but these errors were encountered:
getService() or the equivalent method is public in almost all of the available samples and documentation, instead of having a trailing underscore like getService_().
This means that any user can call getService by using google.script.run in the browser console, which will return the application's OAuth Client ID and Secret (which are not supposed to be given to users!). This allows any user of an extension to impersonate that extension by using its ID/Secret.
This issue was discovered during an internal security review for an extension I was building, and unfortunately it means that anyone who has copied one of the samples here and is using it in production is currently vulnerable to having their Client ID/Secret read by any user of the extension, provided they did not change the getService method to be private.
I reported this issue through https://g.co/vulnz per the security policy https://github.com/googleworkspace/apps-script-oauth2/security/policy and was told to open a public issue on this repo (issue tracker reference: https://issuetracker.google.com/issues/238056715)
I have a PR ready to go that fixes this issue for the samples right now, but unfortunately it won't retroactively fix it for anyone who has copied a sample.
The text was updated successfully, but these errors were encountered: