As reported by security researchers, a new OAuth-related vulnerability in an open-source application development framework could allow Facebook, Google, Apple, and Twitter users to account takeover, personal data leaking, identity theft, financial fraud, and unauthorized actions on other online platforms.
The security vulnerability was discovered in the Expo framework, which is used by numerous web businesses to implement the OAuth authentication protocol. CVE-2023-28131 has been assigned to the vulnerability, which is part of the software's social login capability.
The vulnerability allows a bad actor to take activities on behalf of compromised online platform accounts. According to Salt Security's API Security Report, users witnessed a 117% rise in API attack traffic in 2016.
OAuth is a standard protocol that allows users to authorize access to private resources on one website or application to another without exposing their login credentials. This is a challenging procedure that can lead to security risks. Researchers from Salt Labs revealed that by altering some phases in the OAuth procedure on the Expo site, they could take control of other accounts and steal sensitive information such as credit card details, private messages, and health records - as well as perform operations online on behalf of other users.
Expo framework is an open-source platform for developing mobile and online applications. The Expo framework is utilized by 650,000 developers at a range of significant enterprises, according to Salt Security researchers.
The platform also enables developers to create native apps with a single codebase and offers a collection of tools, frameworks, and services to make the development process easier. "One of the included services is OAuth, which allows developers to easily integrate a social sign-in component into their website," according to the researchers.
Salt Labs researchers uncovered this vulnerability, which has the potential to compromise hundreds of firms using Expo, in a major online platform, Codecademy.com, which offers free coding education in a dozen programming languages.
On January 24, Salt Security discovered the vulnerability. It was reported to Expo on February 18, and the company immediately produced a hotfix and provided mitigation, but it "recommends that customers update their deployment to deprecate this service to fully remove the risk."
As noted by Aviad Carmel, a Salt Security security researcher, this is the second OAuth vulnerability uncovered in a third-party framework used by hundreds of businesses, and it might have affected hundreds of websites and apps.
The OAuth vulnerability, according to Carmel, was part of the social sign-in process, in which Expo acts as an intermediary and sends user credentials to the destination website.
"Exploiting this vulnerability involves intercepting the flow mentioned above. By doing so, an attacker can manipulate Expo to send the user credentials to his own malicious domain instead of the intended destination," Carmel said.
Carmel recommends organizations understand how OAuth works and which endpoints can receive user inputs to avoid making similar mistakes when using OAuth. Many vendors are reporting an increase in API assaults and vulnerabilities in open-source software at a time when API traffic is quickly increasing as a result of digital transformation programs. The largest breach in 2022 was caused by an API hack at Twitter, which revealed 221 million users' email addresses and other personal information.