OAuth Flaw Exposed Social Media Logins to Account TakeoverNow-Fixed Expo Framework API Vulnerability Posed Credential, Identity Theft Risks
A new OAuth-related vulnerability in an open-source application development framework could expose Facebook, Google, Apple and Twitter users to account takeover, personal data leakage, identity theft, financial fraud and unauthorized actions on other online platforms, security researchers said.
API security firm Salt Security discovered the security flaw in the Expo framework, which is used by many online services to implement an OAuth authentication protocol. The vulnerability, which is part of the software's social login functionality, is tracked as CVE-2023-28131.
The vulnerability allows a malicious actor to perform actions on behalf of a compromised accounts of online platforms.
OAuth is a standard protocol for users to grant access to their private resources on one website or application to another website or application, without sharing their login credentials. How it does this is complicated and can lead to security issues. Salt Labs researchers discovered that by changing some steps in the OAuth process on the Expo site, they could take control of other accounts and steal personal information such as credit card numbers, private messages and health records - and perform tasks online on behalf of other users.
Expo framework is an open-source platform to develop applications for mobile and web platforms. According to the Salt Security researchers, the Expo framework is used by 650,000 developers at a variety of major companies.
The platform also allows developers to build native apps using a single codebase and provides a set of tools, libraries and services that simplifies the development process. "One of the included services is OAuth, which lets developers easily integrate a social sign-in component into their website," researchers said.
With the potential to affect hundreds of companies using Expo, Salt Labs researchers discovered this vulnerability in a popular online platform, Codecademy.com, which offers free coding classes across a dozen programming languages.
Salt Security identified the vulnerability on Jan. 24. It was reported to Expo on Feb. 18 and the company created a hotfix the same day and automatically provided mitigation, but it "recommends that customers update their deployment to deprecate this service to fully remove the risk."
Aviad Carmel, a security researcher at Salt Security, said this is the second OAuth vulnerability discovered in a third-party framework used by hundreds of companies, and it could have affected hundreds of websites and apps.
Carmel said that the OAuth vulnerability was part of the social sign-in process, in which Expo acts as an intermediary and transfers user credentials to the target website.
"Exploiting this vulnerability involves intercepting the flow mentioned above. By doing so, an attacker can manipulate Expo to send the user credentials to his own malicious domain instead of the intended destination," Carmel said.
To avoid similar mistakes in implementing OAuth, Carmel advises organizations to understand how OAuth functions and which endpoints can receive user inputs.
Many vendors are reporting a rise in API attacks and vulnerabilities in open-source software at a time when API traffic is growing rapidly with digital transformation programs. The largest breach in 2022 resulted from an API hack at Twitter that exposed the email addresses and other personal information of 221 million users.
Salt Security's API Security Report says its customers experienced a 117% increase in API attack traffic in 2022.