Critical OAuth Vulnerability in Expo Framework Allows Account Hijacking
28.5.23  Hacking  The Hacker News
Vulnerability
A critical security vulnerability has been disclosed in the Open Authorization (OAuth) implementation of the application development framework Expo.io.

The shortcoming, assigned the CVE identifier CVE-2023-28131, has a severity rating of 9.6 on the CVSS scoring system. API security firm Salt Labs said the issue rendered services using the framework susceptible to credential leakage, which could then be used to hijack accounts and siphon sensitive data.

Under certain circumstances, a threat actor could have taken advantage of the flaw to perform arbitrary actions on behalf of a compromised user on various platforms such as Facebook, Google, or Twitter.

Expo, similar to Electron, is an open source platform for developing universal native apps that run on Android, iOS, and the web.

It's worth noting that for the attack to be successful, sites and applications using Expo should have configured the AuthSession Proxy setting for single sign-on (SSO) using a third-party provider such as Google and Facebook.

Put differently, the vulnerability could be leveraged to send the secret token associated with a sign-in provider (e.g., Facebook) to an actor-controlled domain and use it to seize control of the victim's account.

This, in turn, is accomplished by tricking the targeted user into clicking on a specially crafted link that could be sent via traditional social engineering vectors like email, SMS messages, or a dubious website.

Expo, in an advisory, said it deployed a hotfix within hours of responsible disclosure on February 18, 2023. It's also recommended that users migrate from using AuthSession API proxies to directly registering deep link URL schemes with third-party authentication providers to enable SSO features.

Vulnerability
"The vulnerability would have allowed a potential attacker to trick a user into visiting a malicious link, logging in to a third-party auth provider, and inadvertently revealing their third-party auth credentials," Expo's James Ide said.

"This was because auth.expo.io used to store an app's callback URL before the user explicitly confirmed they trust the callback URL."
The disclosure follows the discovery of similar OAuth issues in Booking.com (and its sister site Kayak.com) that could have been leveraged to take control of a user's account, gain full visibility into their personal or payment-card data, and perform actions on the victim's behalf.

The findings also come weeks after Swiss cybersecurity company Sonar detailed a path traversal and an SQL injection flaw in the Pimcore enterprise content management system (CVE-2023-28438) that an adversary can abuse to run arbitrary PHP code on the server with the permissions of the webserver.

Sonar, back in March 2023, also revealed an unauthenticated, stored cross-site scripting vulnerability impacting LibreNMS versions 22.10.0 and prior that could be exploited to gain remote code execution when Simple Network Management Protocol (SNMP) is enabled.