Critical OAuth Vulnerability in Expo Framework Allows Account Hijacking

Critical OAuth Vulnerability in Expo Framework

A critical security vulnerability has been disclosed in the Open Authorization (OAuth) implementation of the application development framework

The shortcoming, assigned the CVE identifier CVE-2023-28131, has a severity rating of 9.6 on the CVSS scoring system. API security firm Salt Labs said the issue rendered services using the framework susceptible to credential leakage, which could then be used to hijack accounts and siphon sensitive data.

Under certain circumstances, a threat actor could have taken advantage of the flaw to perform arbitrary actions on behalf of a compromised user on various platforms such as Facebook, Google, or Twitter.

Expo, similar to Electron, is an open source platform for developing universal native apps that run on Android, iOS, and the web.

It’s worth noting that for the attack to be successful, sites and applications using Expo should have configured the AuthSession Proxy setting for single sign-on (SSO) using a third-party provider such as Google and Facebook.

Put differently, the vulnerability could be leveraged to send the secret token associated with a sign-in provider (e.g., Facebook) to an actor-controlled domain and use it to seize control of the victim’s account.

This, in turn, is accomplished by tricking the targeted user into clicking on a specially crafted link that could be sent via traditional social engineering vectors like email, SMS messages, or a dubious website.

Expo, in an advisory, said it deployed a hotfix within hours of responsible disclosure on February 18, 2023. It’s also recommended that users migrate from using AuthSession API proxies to directly registering deep link URL schemes with third-party authentication providers to enable SSO features.

Read more: