A significant security vulnerability has been exposed in the Open Authorization (OAuth) implementation of Expo.io, a popular application development framework. Assigned the CVE identifier CVE-2023-28131, this vulnerability carries a high severity rating of 9.6 on the CVSS scoring system.
API security firm Salt Labs has reported that the flaw leaves services utilizing the Expo framework vulnerable to credential leakage, potentially leading to account hijacking and unauthorized access to sensitive data. The vulnerability enables threat actors, under specific circumstances, to exploit the weakness and carry out unauthorized actions on behalf of compromised users across platforms such as Facebook, Google, and Twitter. Expo.io, similar to Electron, is an open-source platform used for developing universal native apps compatible with Android, iOS, and the web
It is important to note that successful attacks rely on Expo-powered websites and applications having configured the AuthSession Proxy setting for single sign-on (SSO) with third-party providers like Google and Facebook.
In simpler terms, the vulnerability allows attackers to redirect the secret token associated with a sign-in provider (e.g., Facebook) to a domain controlled by the attacker, effectively gaining control over the victim’s account.
To exploit this vulnerability, attackers typically employ social engineering techniques, such as sending specially crafted links via email, SMS messages, or dubious websites, in an attempt to trick targeted users into clicking on them.
Expo.io promptly addressed the issue by deploying a hotfix soon after responsible disclosure on February 18, 2023. Additionally, users are strongly advised to transition from using AuthSession API proxies to directly registering deep link URL schemes with third-party authentication providers to enable SSO functionality.
According to James Ide of Expo, “The vulnerability would have allowed a potential attacker to trick a user into visiting a malicious link, logging in to a third-party auth provider, and inadvertently revealing their third-party auth credentials. This was because auth.expo.io used to store an app’s callback URL before the user explicitly confirmed they trust the callback URL.”
This disclosure follows the discovery of similar OAuth vulnerabilities in Booking.com and Kayak.com, which could have resulted in unauthorized access to user accounts and exposure of personal and payment-card data. Additionally, Swiss cybersecurity company Sonar recently identified a path traversal and SQL injection flaw (CVE-2023-28438) in the Pimcore enterprise content management system, and an unauthenticated, stored cross-site scripting vulnerability impacting LibreNMS versions 22.10.0 and earlier, potentially leading to remote code execution in the presence of enabled Simple Network Management Protocol (SNMP).