Basic search

K
thnThe Hacker NewsTHN:D089B0E6DBBE6911EAF8B1459A378A02
HistoryMay 27, 2023 - 7:45 a.m.

Critical OAuth Vulnerability in Expo Framework Allows Account Hijacking

2023-05-2707:45:00
The Hacker News
thehackernews.com
59

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

37.8%

Vulnerability

A critical security vulnerability has been disclosed in the Open Authorization (OAuth) implementation of the application development framework Expo.io.

The shortcoming, assigned the CVE identifier CVE-2023-28131, has a severity rating of 9.6 on the CVSS scoring system. API security firm Salt Labs said the issue rendered services using the framework susceptible to credential leakage, which could then be used to hijack accounts and siphon sensitive data.

Under certain circumstances, a threat actor could have taken advantage of the flaw to perform arbitrary actions on behalf of a compromised user on various platforms such as Facebook, Google, or Twitter.

Expo, similar to Electron, is an open source platform for developing universal native apps that run on Android, iOS, and the web.

It’s worth noting that for the attack to be successful, sites and applications using Expo should have configured the AuthSession Proxy setting for single sign-on (SSO) using a third-party provider such as Google and Facebook.

Put differently, the vulnerability could be leveraged to send the secret token associated with a sign-in provider (e.g., Facebook) to an actor-controlled domain and use it to seize control of the victim’s account.

This, in turn, is accomplished by tricking the targeted user into clicking on a specially crafted link that could be sent via traditional social engineering vectors like email, SMS messages, or a dubious website.

Expo, in an advisory, said it deployed a hotfix within hours of responsible disclosure on February 18, 2023. It’s also recommended that users migrate from using AuthSession API proxies to directly registering deep link URL schemes with third-party authentication providers to enable SSO features.

Vulnerability

“The vulnerability would have allowed a potential attacker to trick a user into visiting a malicious link, logging in to a third-party auth provider, and inadvertently revealing their third-party auth credentials,” Expo’s James Ide said.

“This was because auth.expo.io used to store an app’s callback URL before the user explicitly confirmed they trust the callback URL.”

The disclosure follows the discovery of similar OAuth issues in Booking.com (and its sister site Kayak.com) that could have been leveraged to take control of a user’s account, gain full visibility into their personal or payment-card data, and perform actions on the victim’s behalf.

The findings also come weeks after Swiss cybersecurity company Sonar detailed a path traversal and an SQL injection flaw in the Pimcore enterprise content management system (CVE-2023-28438) that an adversary can abuse to run arbitrary PHP code on the server with the permissions of the webserver.

Sonar, back in March 2023, also revealed an unauthenticated, stored cross-site scripting vulnerability impacting LibreNMS versions 22.10.0 and prior that could be exploited to gain remote code execution when Simple Network Management Protocol (SNMP) is enabled.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

37.8%

Related for THN:D089B0E6DBBE6911EAF8B1459A378A02