Critical Vulnerability Discovered in Expo.io’s OAuth Implementation
A significant security flaw has been uncovered in the Open Authorization (OAuth) framework utilized by Expo.io, a popular application development platform. This vulnerability, identified as CVE-2023-28131, has been assigned a severe risk rating of 9.6 on the Common Vulnerability Scoring System (CVSS). According to insights from API security firm Salt Labs, this weakness enables the potential leakage of credentials from services employing the framework, opening the door for attackers to take control of accounts and access sensitive information.
Under specific conditions, a malicious actor could exploit this flaw to perform unauthorized actions on behalf of unsuspecting users on major platforms like Facebook, Google, and Twitter. Expo.io, akin to Electron, facilitates the development of universal native applications compatible with Android, iOS, and web environments. It is essential to note that the successful exploitation of this vulnerability hinges on proper configuration of the AuthSession Proxy setting for single sign-on (SSO) through third-party authentication providers.
The vulnerability allows adversaries to redirect secret tokens associated with sign-in providers to domains controlled by the attacker, effectively allowing them to seize control of the compromised accounts. This could be achieved by deceiving targeted users into clicking on a malicious link sent through various channels, including emails, SMS messages, or suspicious websites.
In response to this critical issue, Expo.io swiftly implemented a hotfix on February 18, 2023, shortly after the flaw was responsibly disclosed. The company also recommended that users transition from utilizing AuthSession API proxies to directly registering deep link URL schemes with third-party authentication providers to enhance the security of SSO features.
According to James Ide from Expo, the vulnerability placed users at risk of inadvertently exposing their third-party authentication credentials. This risky behavior stemmed from the fact that auth.expo.io previously stored an application’s callback URL prior to user confirmation of trust for that URL. Such oversight created a pathway for unintended credential exposure.
The recent disclosure follows the identification of similar OAuth vulnerabilities on Booking.com and Kayak.com, which, if exploited, could give attackers unauthorized access to user accounts and sensitive data. In related security reports, Swiss cybersecurity firm Sonar has revealed other vulnerabilities within enterprise applications like the Pimcore content management system and LibreNMS, indicating the persistent nature of these security threats across various platforms.
The implications of this vulnerability are significant, particularly for businesses relying on the Expo.io framework for their applications. Threat actors could deploy tactics from the MITRE ATT&CK framework, including initial access through phishing schemes and exploitation of valid accounts, to further compromise user data and system integrity.
This incident serves as a critical reminder of the importance of robust security protocols and timely updates in software development frameworks. As the cybersecurity landscape evolves, the collaboration between application developers and security professionals becomes vital to safeguard user data against emerging threats. Business owners are urged to remain vigilant and proactive in their cybersecurity strategies, especially when relying on third-party platforms for user authentication.