Salt Security, the API security company, has released new threat research from Salt Labs that details several critical security flaws in the Expo framework. The flaws were found in the implementation of the Open Authorization (OAuth) social-login functionality utilized by Expo which had the potential to affect any users logging in to an online service using the Expo framework through their Facebook, Google, Apple, and Twitter accounts.

The Expo research illustrates how enterprises can be subject to API security vulnerabilities introduced by third-party frameworks, in this case potentially affecting the implementation of hundreds of sites and applications. The findings showed that services using this framework were susceptible to credential leakage and could have allowed for large-scale account takeover (ATO) on customers’ accounts, enabling bad actors to:

  • Manipulate platform users to gain complete control over their accounts
  • Leak Personal Identifiable Information (PII) and other sensitive user data stored internally by the sites
  • Steal user identities, perform financial fraud, and gain access to credit card information
  • Potentially perform actions on behalf of the compromised user within Facebook, Google, Twitter, and other online platforms

Salt Labs, the research arm of Salt Security and a public forum for API security education, discovered the API security gaps and provided the vulnerability analysis. Upon discovering the vulnerabilities, Salt Labs’ researchers followed coordinated disclosure practices with Expo. Expo issued Salt Labs CVE-2023-28131 and swiftly remediated all issues. An Expo investigation found no evidence that these flaws had been exploited in the wild.

As a framework to develop mobile applications, Expo allows developers to build high-quality native apps for iOS, Android, and web platforms using a single codebase. It provides a set of tools, libraries, and services that simplifies and accelerates the development process.

Salt Labs researchers discovered security vulnerabilities in the social login functionality used by Expo, implemented with an industry-standard protocol called OAuth. Popular across websites and web services, OAuth lets users leverage a “one click” login to access sites using their social media accounts, instead of the more traditional user registration and username/password authentication.

These findings mark the second research report in the Salt Labs OAuth hijacking series, following vulnerabilities uncovered in Booking.com earlier this year.

You may also like