OAuth is the modern authentication mechanism most applications use to ease off the signing by creating a cross-allow application access delegation.
However, recent discoveries from Salt security state a security flaw in the Expo framework, which is used in developing high-quality native apps for platforms like iOS, Android, and web platforms.
Critical OAuth Framework Flaw
CVE-2023-28131 – OAuth Flaw in Expo Platform affects hundreds of Third-Party sites, apps
An attacker can exploit this vulnerability in the expo[.]io framework by sending a malicious link to a victim.
When the victim clicks on the link, the attacker can take over the victim’s accounts and steal credentials on the application or website, which uses the “Expo AuthSession Redirect” Proxy for OAuth flow.
Technical Analysis
The OAuth mechanism has two different flows implicit grant and explicit grant flow.
- Implicit grant
- Explicit grant
In the implicit grant flow, the application that uses the OAuth sign-in will request a token ID parameter from any of the OAuth providers like Facebook, Google, etc.,
This token ID parameter is received when the user allows the website to access his Facebook or Google user profile.
When the user allows, a secret key is generated and sent to the application via URL.
The application uses This secret key to retrieve user information from Facebook or Google. The implicit grant type is used in single-page and native desktop applications.
The Expo Framework
The Expo framework is used in companies like flexport, Codecademy, Petal, Cameo, Insider, etc., with more than 650K developers worldwide.
Researchers at Salt security have recreated the application to understand the OAuth flow in the Expo framework completely.
It was revealed that the Expo framework had a flow where the ReturnUrl parameter was vulnerable to exploitation by a threat actor.
Attack Methodology
The threat actor sends two links to the user.
When the user clicks on the first link, the Expo framework sets the ReturnUrl to default the attacker’s value, say, [hTTps[:]//attacker.com]
After the user clicks on the second link, Facebook redirects the user to the Expo.io website and sends a token to the ReturnUrl.
However, since a user will not click on two links simultaneously during a social engineering attack, a Javascript exploit is used, which reduces the time for the user to see the confirmation page from Facebook.
Salt Security publishes a complete detailed analysis of the attack.
This results in an account takeover and credential stealing vulnerability in the Expo.io Framework.
Expo has recommended all of its users update to the latest security patch released by them.
Common Security Challenges Facing CISOs? – Download Free CISO’s Guide