OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers

OAuth-related vulnerabilities found in the widely used application development framework Expo could have been exploited to take control of user accounts, according to API security firm Salt Security.

Expo is an open source platform for developing universal native apps for mobile devices and the web. The company says its product is used by more than 600,000 developers, including several major companies.

Researchers at Salt Security analyzed the OAuth functionality provided by Expo, which allows developers to enable user authentication through third-party services such as Facebook and Google. 

Their analysis led to the discovery of security flaws that could have been exploited by tricking the targeted user into clicking on a specially crafted link. An attacker could have used the attack method to hijack sessions and take full control of the user’s account which, Salt Security pointed out, could have led to the exposure of sensitive information, financial fraud, or identity theft.

In some cases, an attacker could have also used the exploit to perform actions on behalf of the targeted user on platforms such as Facebook, Google or Twitter.

The vulnerabilities, tracked as CVE-2023-28131, were reported to Expo developers in mid-February and they were quickly addressed. Expo published a blog post detailing the steps it has taken to prevent exploitation. There is no evidence of a breach or malicious exploitation, Expo developers said.

“The vulnerability would have allowed a potential attacker to trick a user into visiting a malicious link, logging in to a third-party auth provider, and inadvertently revealing their third-party auth credentials” the company explained. “This was because auth.expo.io used to store an app’s callback URL before the user explicitly confirmed they trust the callback URL. After the hotfix, auth.expo.io now requires users to confirm they trust unverified callback URLs.” 

Salt Security noted that only implementations using the AuthSession Proxy of the social login component of Expo were affected. 

Salt researchers found hundreds of potentially impacted services, including coding classes platform Codecademy, on which they demonstrated how the exploit could be used to take control of accounts. 

Salt Security’s disclosure comes just months after the company reported finding OAuth implementation vulnerabilities that could have been exploited to hack Booking.com accounts.

Related: Vulnerability in Toyota Management Platform Provided Access to Customer Data

Related: R1Soft Server Backup Manager Vulnerability Exploited to Deploy Backdoor

Related: Google Cloud Platform Vulnerability Led to Stealthy Account Backdoors