Critical OAuth Vulnerability in Expo Framework Allows Account Hijacking
May 27, 2023
API Security / Vulnerability
A critical security vulnerability has been disclosed in the Open Authorization (OAuth) implementation of the application development framework Expo.io. The shortcoming, assigned the CVE identifier CVE-2023-28131 , has a severity rating of 9.6 on the CVSS scoring system. API security firm Salt Labs said the issue rendered services using the framework susceptible to credential leakage, which could then be used to hijack accounts and siphon sensitive data. Under certain circumstances, a threat actor could have taken advantage of the flaw to perform arbitrary actions on behalf of a compromised user on various platforms such as Facebook, Google, or Twitter. Expo, similar to Electron, is an open source platform for developing universal native apps that run on Android, iOS, and the web. It's worth noting that for the attack to be successful, sites and applications using Expo should have configured the AuthSession Proxy setting for single sign-on (SSO) using a third-party provider