Critical OAuth Vulnerability in Expo Framework Enables Account Hijacking

May 27, 2023Ravie LakshmananAPI Security / Vulnerabilities

A critical security vulnerability has been disclosed in the Open Authorization (OAuth) implementation of the Expo.io app development framework.

The drawback, given the CVE identifier CVE-2023-28131, has a severity rating of 9.6 on the CVSS scoring system. API security company Salt Labs said these issues leave services using the framework vulnerable to credential leaks, which can then be used to hijack accounts and siphon sensitive data.

In certain circumstances, threat actors can exploit these weaknesses to perform arbitrary actions on behalf of compromised users across platforms such as Facebook, Google or Twitter.

Expo, similar to Electron, is an open source platform for developing universal native apps that run on Android, iOS, and the web.

It should be noted that for an attack to be successful, sites and apps using Expo must configure AuthSession Proxy settings for single sign-on (SSO) using third-party providers such as Google and Facebook.

In other words, the vulnerability could be exploited to send a secret token associated with a login provider (eg, Facebook) to an actor-controlled domain and use it to seize control of the victim’s account.

This, in turn, is accomplished by tricking targeted users into clicking specially crafted links that can be sent via traditional social engineering vectors such as email, SMS messages, or dubious websites.

Expo, in an advisory, said it implemented the hotfix within hours of the responsible disclosure on February 18, 2023. Users are also advised migration from using an AuthSession API proxy to directly registering deep link URL schemes with third-party authentication providers to enable SSO features.

“The vulnerability would allow potential attackers to trick users into visiting malicious links, logging in to third-party authentication providers, and accidentally disclosing their third-party authentication credentials,” James Ide of Expo said.

“This is because auth.expo.io is used to store apps Callback URL before the user explicitly confirms they trust the callback URL.”

The disclosure follows invention similar OAuth issues on Booking.com (and similar sites like Kayak.com) that can be exploited to control a user’s account, gain full visibility into their personal or payment card data, and take actions on behalf of the victim.

The findings also come weeks after Swiss cybersecurity firm Sonar detailed path traversal and SQL injection flaw in the Pimcore enterprise content management system (CVE-2023-28438) which can be abused by an adversary to run arbitrary PHP code on the server with the permissions of the web server.

Sonar, in March 2023, too revealed unauthenticated stored cross-site script vulnerability affecting LibreNMS version 22.10.0 and earlier which could be exploited to gain remote code execution when Simple Network Management Protocol (SNMP) is activated.