A critical security flaw was discovered in the Expo framework that could be exploited to expose user data for various online services.
This vulnerability (CVE-2023-28131) was discovered by Salt Security and has a CVSS score of 9.6.
Specifically, this bug was discovered in the way Expo’s Open Authorization (OAuth) social login functionality was implemented.
Expo allows developers to create native iOS, Android, and web applications using a single codebase. The platform features a variety of tools, libraries, and services designed to streamline and speed up your development process.
Still, due to the nature of the vulnerability, services that depended on this framework were susceptible to compromised credentials, which could lead to mass account takeover (ATO) of customer accounts.
Learn more about API security here: 4 Tips to Maximize API Security
This could affect, for example, anyone who uses their Facebook, Google, Apple, or Twitter account to log into online services that use Expo.
Salt Security’s research arm, Salt Labs, explained that it disclosed the vulnerability to Expo as soon as it was discovered, and Expo quickly fixed it. A separate guide is available that describes the process of mitigating defects.
“Security vulnerabilities can occur on any website. Response is key,” said Yaniv Balmas, Vice President of Research at Salt Security.
Security experts say that with OAuth rapidly becoming an industry standard, malicious individuals are constantly looking for security weaknesses in it.
“Mis-implementation of OAuth can have a significant impact on both businesses and customers as valuable data remains exposed, and organizations should always be aware of the security risks that exist within their platform. We need to,” added Balmas.
The flaw and its fix came weeks after Salt Security released a report suggesting that attacks targeting application programming interfaces (APIs) had increased 400% over the past few months.
