OAuth-related vulnerabilities found in the widely used application development framework Expo could have been exploited to take control of user accounts, according to API security firm Salt Security.
Expo is an open source platform for developing universal native apps for mobile devices and the web. The company says its product is used by more than 600,000 developers, including several major companies.
Researchers at Salt Security analyzed the OAuth functionality provided by Expo, which allows developers to enable user authentication through third-party services such as Facebook and Google.
Their analysis led to the discovery of security flaws that could have been exploited by tricking the targeted user into clicking on a specially crafted link. An attacker could have used the attack method to hijack sessions and take full control of the user’s account which, Salt Security pointed out, could have led to the exposure of sensitive information, financial fraud, or identity theft.
In some cases, an attacker could have also used the exploit to perform actions on behalf of the targeted user on platforms such as Facebook, Google or Twitter.
The vulnerabilities, tracked as CVE-2023-28131, were reported to Expo developers in mid-February and they were quickly addressed. Expo published a blog post detailing the steps it has taken to prevent exploitation. There is no evidence of a breach or malicious exploitation, Expo developers said.
“The vulnerability would have allowed a potential attacker to trick a user into visiting a malicious link, logging in to a third-party auth provider, and inadvertently revealing their third-party auth credentials” the company explained. “This was because auth.expo.io used to store an app’s callback URL before the user explicitly confirmed they trust the callback URL. After the hotfix, auth.expo.io now requires users to confirm they trust unverified callback URLs.”
Salt Security noted that only implementations using the AuthSession Proxy of the social login component of Expo were affected.
Salt researchers found hundreds of potentially impacted services, including coding classes platform Codecademy, on which they demonstrated how the exploit could be used to take control of accounts.
Salt Security’s disclosure comes just months after the company reported finding OAuth implementation vulnerabilities that could have been exploited to hack Booking.com accounts.
Related: Vulnerability in Toyota Management Platform Provided Access to Customer Data
Related: R1Soft Server Backup Manager Vulnerability Exploited to Deploy Backdoor
Related: Google Cloud Platform Vulnerability Led to Stealthy Account Backdoors

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
- Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery
Latest News
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
