omniauth-bnet gem depends on OmniAuth v1, which contains a potential CSRF vulnerability by default. Information on the vulnerability can be found in
CVE-2015-9284, and more detailed discussion can be found at
https://github.com/omniauth/omniauth/pull/809. (Please note that the linked pull request title is misleading: this vulnerability affects any Ruby application utilizing OmniAuth v1 without proper CSRF protection.)
While mitigation strategies are possible from the end developer’s side, an insurmountable issue is that OmniAuth strategies which rely on OmniAuth v2 are fundamentally incompatible with the current
omniauth-bnet gem. Therefore, in the interest of user security and minimizing developer hassle, I would suggest that the
omniauth-bnet gem be updated to depend on version 2.0 or higher of the OmniAuth gem.