Today, Salt Security released new threat research from Salt Labs that details several critical security flaws in the Expo framework. The flaws were found in the implementation of the Open Authorization (OAuth) social-login functionality utilised by Expo which had the potential to affect any users logging in to an online service using the Expo framework through their Facebook, Google, Apple, and Twitter accounts. These findings mark the second research report in the Salt Labs OAuth hijacking series, following vulnerabilities uncovered in Booking.com earlier this year.
The issue has been assigned with CVE-2023-28131.
The Expo research illustrates how enterprises can be subject to API security vulnerabilities introduced by third-party frameworks, in this case potentially affecting the implementation of hundreds of sites and applications. The findings showed that services using this framework were susceptible to credential leakage and could have allowed for large-scale account takeover (ATO) on customers’ accounts, enabling bad actors to:
- Manipulate platform users to gain complete control over their accounts
- Leak Personal Identifiable Information (PII) and other sensitive user data stored internally by the sites
- Potentially perform actions on behalf of the compromised user within Facebook, Google, Twitter, and other online platforms
- Steal user identities, perform financial fraud, and gain access to credit card information
Salt Labs, the research arm of Salt Security and a public forum for API security education, discovered the API security gaps and provided the vulnerability analysis. Upon discovering the vulnerabilities, Salt Labs’ researchers followed coordinated disclosure practices with Expo. Expo issued Salt Labs CVE-2023-28131 and swiftly remediated all issues. An Expo investigation found no evidence that these flaws had been exploited in the wild.
“Security vulnerabilities can happen on any website – it’s the response that matters,” said Yaniv Balmas, VP of Research, Salt Security. “With OAuth rapidly becoming the industry standard, bad actors are tirelessly at work to find security vulnerabilities within it. Mis-implementation of OAuth can have a significant impact on both companies and customers as they leave precious data exposed and organizations must stay on the pulse of security risks that exist within their platforms.”
As a framework to develop mobile applications, Expo allows developers to build high-quality native apps for iOS, Android, and web platforms using a single codebase. It provides a set of tools, libraries, and services that simplifies and accelerates the development process.
Salt Labs researchers discovered security vulnerabilities in the social login functionality used by Expo, implemented with an industry-standard protocol called OAuth. Popular across websites and web services, OAuth lets users leverage a “one click” login to access sites using their social media accounts, instead of the more traditional user registration and username/password authentication.
OAuth is popular in large part because it provides users with a much easier experience in interacting with websites. However, its complex technical back end can lead to implementation mistakes that create security gaps with the potential for exploitation. By manipulating certain steps in the OAuth sequence on the Expo site, Salt Labs researchers found they could hijack sessions and achieve account takeover (ATO); steal user data such as credit card numbers, private messages, and health records; and perform actions on behalf of users.
With the potential to impact hundreds of companies using Expo, Salt Labs discovered this vulnerability in Codecademy.com, a popular online platform offering free coding classes across a dozen programming languages. Companies including Google, LinkedIn, Amazon, Spotify, and others use the site to help train employees, and the site boasts ~100 million users. The Salt Labs team was able to exploit the Expo vulnerability on the Codecademy site to gain complete control of accounts.