GHSA-3pg4-qwc8-426r: OpenRefine leaks Google API credentials in releases

October 24, 2024

OpenRefine releases contain Google API authentication keys (“client id” and “client secret”) which can be extracted from released artifacts. For instance, download the package for OpenRefine 3.8.2 on linux. It contains the file openrefine-3.8.2/webapp/extensions/gdata/module/MOD-INF/lib/openrefine-gdata.jar, which can be extracted. This archive then contains the file com/google/refine/extension/gdata/GoogleAPIExtension.java, which contains the following lines:

References

github.com/OpenRefine/OpenRefine
github.com/OpenRefine/OpenRefine/commit/07dd61e00bb7f472ddcb243631299fba95ad90dd
github.com/OpenRefine/OpenRefine/security/advisories/GHSA-3pg4-qwc8-426r
github.com/advisories/GHSA-3pg4-qwc8-426r

Detect and mitigate GHSA-3pg4-qwc8-426r with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →