Name of the Vulnerable Software and Affected Versions OpenRefine version 3.8.2

Description The issue concerns the exposure of Google API authentication keys, specifically the client id and client secret, within OpenRefine releases. These keys can be extracted from released artifacts, such as the openrefine-gdata.jar file in the openrefine-3.8.2/webapp/extensions/gdata/module/MOD-INF/lib directory. The keys are encoded in Base64 in the GoogleAPIExtension.java file and can be decoded to obtain the credentials. These credentials can be used by other applications to request access to Google accounts, pretending to be OpenRefine, although this would also require access to user access tokens, which this issue does not expose by itself.

Recommendations For OpenRefine version 3.8.2, the bundled credentials should be revoked. As a temporary workaround, users should revoke access to their Google account if they have connected it to OpenRefine.