Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers

OAuth vulnerabilities found in the widely used Expo application development platform could have been exploited for account takeovers.

OAuth-related vulnerabilities found in the widely used application development framework Expo could have been exploited to take control of user accounts, according to API security firm Salt Security.

Expo is an open source platform for developing universal native apps for mobile devices and the web. The company says its product is used by more than 600,000 developers, including several major companies.

Researchers at Salt Security analyzed the OAuth functionality provided by Expo, which allows developers to enable user authentication through third-party services such as Facebook and Google. 

Their analysis led to the discovery of security flaws that could have been exploited by tricking the targeted user into clicking on a specially crafted link. An attacker could have used the attack method to hijack sessions and take full control of the user’s account which, Salt Security pointed out, could have led to the exposure of sensitive information, financial fraud, or identity theft.

In some cases, an attacker could have also used the exploit to perform actions on behalf of the targeted user on platforms such as Facebook, Google or Twitter.

The vulnerabilities, tracked as CVE-2023-28131, were reported to Expo developers in mid-February and they were quickly addressed. Expo published a blog post detailing the steps it has taken to prevent exploitation. There is no evidence of a breach or malicious exploitation, Expo developers said.

“The vulnerability would have allowed a potential attacker to trick a user into visiting a malicious link, logging in to a third-party auth provider, and inadvertently revealing their third-party auth credentials” the company explained. “This was because auth.expo.io used to store an app’s callback URL before the user explicitly confirmed they trust the callback URL. After the hotfix, auth.expo.io now requires users to confirm they trust unverified callback URLs.” 

Salt Security noted that only implementations using the AuthSession Proxy of the social login component of Expo were affected. 

Advertisement. Scroll to continue reading.

Salt researchers found hundreds of potentially impacted services, including coding classes platform Codecademy, on which they demonstrated how the exploit could be used to take control of accounts. 

Salt Security’s disclosure comes just months after the company reported finding OAuth implementation vulnerabilities that could have been exploited to hack Booking.com accounts.

Related: Vulnerability in Toyota Management Platform Provided Access to Customer Data

Related: R1Soft Server Backup Manager Vulnerability Exploited to Deploy Backdoor

Related: Google Cloud Platform Vulnerability Led to Stealthy Account Backdoors

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.