Isciurus

**Name of the Vulnerable Software and Affected Versions** Google Play services SDK versions prior to 2015 **Description** The issue allows attackers to bypass an intended consent dialog and retrieve tokens for arbitrary OAuth scopes, including the SID and LSID scopes, by setting specific parameters in OAuth token requests. This can be achieved by a crafted application, potentially leading to unauthorized access to a Google account. The `has permission=1` parameter value can be set upon finding ` opt has permission` in the Bundle extras argument, demonstrating the vulnerability. **Recommendations** For Google Play services SDK versions prior to 2015, consider restricting the use of the `GoogleAuthUtil.getToken` method until a patch is available, and avoid setting the ` opt has permission` parameter in the Bundle extras argument to minimize the risk of exploitation.