A critical security flaw has been uncovered in the famous application development framework Expo.io, potentially exposing sensitive data and allowing unauthorized access to user accounts. The vulnerability, identified as CVE-2023-28131, has a high severity rating of 9.6 on the CVSS scale. This report is according to API security firm Salt Labs’ discovery.
The vulnerability specifically affects the Open Authorization (OAuth) implementation in Expo.io, leaving services that use the framework vulnerable to credential leakage. It could enable threat actors to hijack accounts and gain unauthorized access to personal information. The exploit could aid in carrying out unauthorized actions on various platforms, including Facebook, Google, and Twitter, on behalf of compromised users.
Expo.io, an open-source platform for developing universal native apps, runs on Android, iOS, and the web. To successfully exploit the vulnerability, websites and applications utilizing Expo should have configured the AuthSession Proxy setting for single sign-on (SSO) using third-party providers.
The attack vector involves tricking users into clicking on carefully crafted links, often delivered through email, SMS messages, or suspicious websites. Clicking on these links could expose the secret tokens associated with sign-in providers, allowing attackers to gain control over victims’ accounts.
Expo promptly addressed the issue by releasing a hotfix shortly after the February 18, 2023, disclosure. They also recommend migrating from AuthSession API proxies to directly registering deep link URL schemes with third-party authentication providers for SSO security enhancement.
James Ide from Expo highlighted the nature of the vulnerability, explaining that it could have allowed attackers to deceive users into visiting malicious links and unintentionally revealing their third-party authentication credentials. The flaw stemmed from how auth.expo.io stored an app’s callback URL before obtaining explicit user confirmation of trust.
This disclosure comes on the heels of similar OAuth vulnerabilities found in Booking.com and Kayak.com, which could have resulted in account takeovers and unauthorized access to personal and payment data. Swiss cybersecurity company Sonar also recently uncovered security issues in the Pimcore content management system and LibreNMS network monitoring software.
These incidents highlight the importance of robust security measures and prompt patching to protect against evolving cyber threats.
