Attackers were able to gather authentication credentials via the Open Authorization (OAuth) protocol thanks to a serious API issue in the Expo open source framework.
According to the researchers at Salt Labs who discovered the issues, the vulnerability, while affecting a relatively small number of developers, had the potential to affect a large range of people checking in to internet sites like Facebook, Twitter, or Spotify via the open-source framework.
An attacker could have been able to hijack accounts and steal credentials on a mobile app or website that was set up to use the Expo AuthSession Redirect Proxy through a successful attack. Simply clicking on a malicious link by a victim could have started an attack. Developers may create native apps for iOS, Android, and the web with the help of Expo (auth.expo.io), which is widely regarded as a useful tool for accelerating the creation of applications.
Instead of the more conventional user registration and username/password authentication, sites and apps use the industry standard OAuth as a “one click” login to access sites using social network accounts. Researchers found that they could hijack sessions, take control of accounts, steal user financial and health information, and act in the user’s place by fiddling with the OAuth sequences on the Expo website.
The researchers informed Expo of their discoveries, and Expo promptly rectified the API flaw. Expo claimed that the vulnerability, identified as CVE-2023-28131 and with a CVSS score of 9.6, has not been used in the wild.
A vulnerability in API redirection is what the bug is called. An application’s callback URL was kept by the auth.expo.io framework “before the user explicitly confirmed they trust the callback URL,” according to a technical explanation. The flaw was discovered in February, made public through the NIST national vulnerabilities database in April, and updated on May 2.
Engineers using OAuth should inquire as to what the various options accomplish, select the more secure option wherever possible, and be sure to confirm the potential impact when selecting settings other than the defaults, according to Zane Bond, head of product at Keeper Security. Senior technical engineer at Vulcan Cyber Mike Parkin said the OAuth vulnerability might provide a fairly wide range of risks.