Salt Security Uncovers OAuth Vulnerabilities In Expo Framework

Salt Security, the API security company, has released new threat research from Salt Labs that details several critical security flaws in the Expo framework. The flaws were found in the implementation of the Open Authorization (OAuth) social-login functionality utilized by Expo which had the potential to affect any users logging in to an online service using the Expo framework through their Facebook, Google, Apple, and Twitter accounts.

The Expo research illustrates how enterprises can be subject to API security vulnerabilities introduced by third-party frameworks, in this case potentially affecting the implementation of hundreds of sites and applications. The findings showed that services using this framework were susceptible to credential leakage and could have allowed for large-scale account takeover (ATO) on customers’ accounts, enabling bad actors to:

Manipulate platform users to gain complete control over their accounts
Leak Personal Identifiable Information (PII) and other sensitive user data stored internally by the sites
Steal user identities, perform financial fraud, and gain access to credit card information
Potentially perform actions on behalf of the compromised user within Facebook, Google, Twitter, and other online platforms

Salt Labs, the research arm of Salt Security and a public forum for API security education, discovered the API security gaps and provided the vulnerability analysis. Upon discovering the vulnerabilities, Salt Labs’ researchers followed coordinated disclosure practices with Expo. Expo issued Salt Labs CVE-2023-28131 and swiftly remediated all issues. An Expo investigation found no evidence that these flaws had been exploited in the wild.

As a framework to develop mobile applications, Expo allows developers to build high-quality native apps for iOS, Android, and web platforms using a single codebase. It provides a set of tools, libraries, and services that simplifies and accelerates the development process.

Salt Labs researchers discovered security vulnerabilities in the social login functionality used by Expo, implemented with an industry-standard protocol called OAuth. Popular across websites and web services, OAuth lets users leverage a “one click” login to access sites using their social media accounts, instead of the more traditional user registration and username/password authentication.

These findings mark the second research report in the Salt Labs OAuth hijacking series, following vulnerabilities uncovered in Booking.com earlier this year.

You may also like

Kong Konnect Dedicated Cloud Gateways now available on AWS

Generative AI software revenue in Asia & Oceania projected to exceed $18B by 2028: Report

New Authservice project helps simplify cloud-native authentication

Acorn Labs’ GPTScript aims to redefine coding for AI applications

Clazar raises $10M Series A to empower SaaS companies to leverage cloud marketplaces

SIOS Technology’s Sandi Hamilton wins Bronze Stevie Award