OAuth Flaw in Expo Platform Affects Hundreds of Third-Party Sites, Apps

  /     /     /  
Publicated : 23/11/2024   Category : security


OAuth Flaw in Expo Platform Affects Hundreds of Third-Party Sites, Apps


A cybersecurity vulnerability found in an implementation of the social login functionality opens the door to account takeovers and more.



A vulnerability in the implementation of the Open Authorization (OAuth) standard that websites and applications use to connect to Facebook, Google, Apple, Twitter, and more could allow attackers to take over user accounts, access and/or leak sensitive information, and even commit financial fraud.
OAuth comes into play when a user logs in to a website and clicks on a link to log in with another social media account, such as Log in with Facebook or Log in with Google — a feature that many sites use to allow cross-platform authentication. A team from API security firm Salt Securitys Salt Labs discovered the flaw, tracked as
CVE-2023-28131
, in the OAuth implementation in 
Expo,
an open source framework for developing native mobile apps for iOS, Android, and other Web platforms using a single codebase.
Specifically, the flaw potentially could affect any users that use various and social media accounts to log into an online service that uses the framework, the researchers revealed in a blog post published May 24.
The vulnerability is the second — and more impactful — one that Salt researchers have found in an online platforms implementation of OAuth, which is
proving to be a tricky standard
to implement securely. In March, Salt
discovered a flaw
in Booking.coms implementation of OAuth that could have allowed attackers to take over user accounts and gain full visibility into their personal or payment-card data, as well as log in to accounts on the websites sister platform, Kayak.com.
The flaw in Expo could have had a much wider impact than the Booking.com flaw, because of Expos wide install base, Aviad Carmel, Salt security researcher, tells Dark Reading.
Because this second OAuth vulnerability was discovered in a third-party framework used by hundreds of companies, the potential exposure was far greater, he says. It could have impacted the OAuth implementations of hundreds of websites and apps.
Moreover, OAuth is becoming a de facto authentication standard in modern service-based architectures, as well as in emerging artificial intelligence (AI)-based platforms. This inherently means any vulnerabilities in OAuth implementations have a broad reach. In fact, in other research unveiled May 24, software-as-a-service (SaaS) security firm DoControl
revealed
that 24 percent of third-party AI apps require risky OAuth permissions.
Expo patched CVE-2023-28131 within hours after Salt researchers flagged the issue, and developers maintaining the platform recommended in
a blog post
detailing the flaw that customers update their Expo deployments to fully mitigate the risk.
However, the mounting list of OAuth vulnerabilities and the overall complexity of correctly configuring the standard that they highlight suggest that more websites and apps could have undiscovered flaws lurking beneath their surface.
The findings also demonstrate how enterprises are adversely and broadly affected when third-party frameworks introduce API vulnerabilities into their environment, often without them knowing. This puts customers at risk for credential leaks or account takeover, and gives threat actors a platform from which to launch further attacks, the researchers said.
When a user clicks on an OAuth-enabled link to log in to Site A with a social media account, Site A will then open a new window to Facebook, Google, or whatever trusted account is being used. If its the users first time visiting Site A, the social media page will ask for permission to share details with Site A. If the user has gone through the process before, the social media site will automatically authenticate the user to Site A.
Salt Labs researchers discovered CVE-2023-28131 in Codeacademy.com, an online platform that offers free coding classes across a dozen programming languages. Companies including Google, LinkedIn, Amazon, Spotify, and others use the site to help train employees, and the site has around 100 million users. The researchers ultimately exploited the flaw to gain complete control of Codeacademy.com accounts, they said.
The vulnerability in the OAuth implementation within Expo relates to the social sign-in process, Carmel tells Dark Reading. When users sign in using their Facebook or Google credentials, Expo acts as an intermediary and transfers the users credentials to the target website, he says.
Attackers could have exploited CVE-2023-28131 by intercepting this flow and manipulating Expo to send the user credentials to a malicious domain instead of the intended destination, Carmel explains.
This exploitation could have led to leaks of personal data or even financial fraud if attackers used credentials to log into users financial accounts. Threat actors also could potentially have performed actions on behalf of users on their social media accounts, Carmel says.
OAuths popularity stems from how it can provide a much more seamless user experience for people when interacting with frequently used websites. However, it has a complex, technical back-end that can lead to implementation mistakes, creating security gaps that are ripe for exploitation, the researchers said.
To secure an
OAuth implementation
, then, an organization must understand how OAuth functions and which endpoints can receive user inputs, Carmel says.
Attackers may attempt to manipulate these inputs, so validating each one is essential, he advises. This can be achieved by maintaining a whitelist of predetermined values or implementing other strict validation methods.
Because of how complex OAuth implementations are proving to be, Salt Security plans to release a best-practice guide in the future to help enterprises security their OAuth implementations effectively, Carmel adds.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
OAuth Flaw in Expo Platform Affects Hundreds of Third-Party Sites, Apps