Expo Framework API Flaw Reveals User Data in Online Services

Written by

A critical security flaw in the Expo framework has been discovered that could be exploited to reveal user data in various online services.

The vulnerability (CVE-2023-28131) was discovered by Salt Security and has a CVSS score of 9.6.

In particular, the bug was found in the way Expo’s Open Authorization (OAuth) social-login feature is implemented. 

Expo enables developers to create native iOS, Android, and web applications using a single codebase. The platform features a range of tools, libraries and services designed to streamline and expedite the development process.

Still, due to the nature of the vulnerability, services relying on this framework were susceptible to credential leakage and could have allowed for large-scale account takeover (ATO) on customers’ accounts.

Read more on API security here: 4 Tips to Maximize Your API Security

This, for instance, could impact anyone who logs in to an online service using Expo using their Facebook, Google, Apple or Twitter accounts.

Salt Labs, the research arm of Salt Security, explained that upon discovering the vulnerability, it immediately disclosed it to Expo, who swiftly remediated it. A separate guide is available describing the process to mitigate the flaw.

“Security vulnerabilities can happen on any website – it’s the response that matters,” said Yaniv Balmas, VP of research at Salt Security. 

According to the security expert, as OAuth is quickly becoming the norm in the industry, malicious individuals are constantly searching for security weaknesses in it.

“Misimplementation of OAuth can have a significant impact on both companies and customers as they leave precious data exposed, and organizations must stay on the pulse of security risks that exist within their platforms,” Balmas added.

The flaw and its remediation come weeks after Salt Security published a report suggesting that attacks targeting application programming interfaces (APIs) have increased 400% over the last few months.

What’s hot on Infosecurity Magazine?