A critical security vulnerability has been identified in the Open Authorization (OAuth) implementation of the application development framework Expo.io.
This flaw has been assigned the CVE identifier CVE-2023-28131 and has a severity rating of 9.6 on the CVSS scoring system. API security firm Salt Labs said the issue makes services using the framework susceptible to compromised credentials, which could be used to hijack accounts or exfiltrate sensitive data.
Under certain circumstances, threat actors could use this flaw to perform arbitrary actions on behalf of compromised users on various platforms such as Facebook, Google, and Twitter.
Expo, like Electron, is an open source platform for developing universal native apps that run on Android, iOS and the web.
Note that sites and applications using Expo must configure AuthSession proxy settings for single sign-on (SSO) with third-party providers such as Google and Facebook for the attack to be successful. .
In other words, this vulnerability could be used to send a secret token associated with a sign-in provider (such as Facebook) to an attacker-controlled domain and use it to gain control of the victim’s account. there is.
This is accomplished by tricking targeted users into clicking specially crafted links that may be sent via traditional social engineering vectors such as emails, SMS messages, or questionable websites. increase.
In its advisory, Expo said it deployed the hotfix within hours of its responsible disclosure on February 18, 2023. It is also recommended that the user migrate from using her AuthSession API proxy to registering a deep link URL scheme directly with her 3rd party authentication provider to enable SSO functionality for her. .
“This vulnerability could have allowed a potential attacker to trick users into visiting a malicious link, logging into a third-party authentication provider, and accidentally exposing their third-party authentication credentials. said Expo’s James Ide.
“This is because auth.expo.io stored your app’s callback URL before you explicitly confirmed that you trusted the callback URL.”
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
This disclosure follows the discovery of a similar OAuth issue on Booking.com (and its sister site Kayak.com), which controls users’ accounts and protects users’ personal data and payment cards. data could be exploited to gain full visibility and take action. on behalf of the victim.
The findings come a few weeks after Swiss cybersecurity firm Sonar detailed path traversal and SQL injection flaws in its Pimcore enterprise content management system (CVE-2023-28438), in which attackers could exploit this vulnerability to execute arbitrary PHP code on the server with the following privileges: web server.
In March 2023, Sonar disclosed an unauthenticated stored cross-site scripting vulnerability affecting LibreNMS versions 22.10.0 and earlier. This vulnerability could be exploited for remote code execution if Simple Network Management Protocol (SNMP) is enabled.
