Connect with us

Hi, what are you looking for?



OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers

OAuth vulnerabilities found in the widely used Expo application development platform could have been exploited for account takeovers.

OAuth-related vulnerabilities found in the widely used application development framework Expo could have been exploited to take control of user accounts, according to API security firm Salt Security.

Expo is an open source platform for developing universal native apps for mobile devices and the web. The company says its product is used by more than 600,000 developers, including several major companies.

Researchers at Salt Security analyzed the OAuth functionality provided by Expo, which allows developers to enable user authentication through third-party services such as Facebook and Google. 

Their analysis led to the discovery of security flaws that could have been exploited by tricking the targeted user into clicking on a specially crafted link. An attacker could have used the attack method to hijack sessions and take full control of the user’s account which, Salt Security pointed out, could have led to the exposure of sensitive information, financial fraud, or identity theft.

In some cases, an attacker could have also used the exploit to perform actions on behalf of the targeted user on platforms such as Facebook, Google or Twitter.

The vulnerabilities, tracked as CVE-2023-28131, were reported to Expo developers in mid-February and they were quickly addressed. Expo published a blog post detailing the steps it has taken to prevent exploitation. There is no evidence of a breach or malicious exploitation, Expo developers said.

“The vulnerability would have allowed a potential attacker to trick a user into visiting a malicious link, logging in to a third-party auth provider, and inadvertently revealing their third-party auth credentials” the company explained. “This was because used to store an app’s callback URL before the user explicitly confirmed they trust the callback URL. After the hotfix, now requires users to confirm they trust unverified callback URLs.” 

Advertisement. Scroll to continue reading.

Salt Security noted that only implementations using the AuthSession Proxy of the social login component of Expo were affected. 

Salt researchers found hundreds of potentially impacted services, including coding classes platform Codecademy, on which they demonstrated how the exploit could be used to take control of accounts. 

Salt Security’s disclosure comes just months after the company reported finding OAuth implementation vulnerabilities that could have been exploited to hack accounts.

Related: Vulnerability in Toyota Management Platform Provided Access to Customer Data

Related: R1Soft Server Backup Manager Vulnerability Exploited to Deploy Backdoor

Related: Google Cloud Platform Vulnerability Led to Stealthy Account Backdoors

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.