Critical OAuth Vulnerability in Expo.io Framework
Take action: Three actions to take as soon as possible if using the Expo framework: Update Expo.io to the latest version that includes the hotfix released by Expo to address the critical security vulnerability (CVE-2023-28131). Consider migrating to a more secure authentication method by directly registering deep link URL schemes with third-party authentication providers to enhance SSO security. As always - Educate users about phishing risks.
Learn More
A critical security vulnerability has been discovered in Expo.io, an application development framework with an Open Authorization (OAuth) implementation.
By exploiting this flaw, threat actors could perform unauthorized actions on behalf of compromised users across platforms like Facebook, Google, and Twitter.
The vulnerability, identified as CVE-2023-28131, has a severity rating of 9.6 and could lead to credential leakage, allowing attackers to hijack accounts and extract sensitive data. For the attack to be successful, sites and applications using Expo should be configured with AuthSession Proxy setting for single sign-on (SSO) using a third-party provider such as Google and Facebook.
With this vulnerability the secret token associated with a sign-in provider (e.g., Facebook) could be sent to an attacker-controlled domain and then used it to seize control of the victim's account. The vulnerability is exploited in a fairly standard way - via phishing - by tricking the targeted user into clicking on a specially crafted sent via traditional social engineering vectors like email, SMS messages, or a dubious website.
Expo has released a hotfix and recommends migrating from AuthSession API proxies to directly registering deep link URL schemes for third-party authentication providers to enhance single sign-on (SSO) security.
Expo, is an open source platform for developing universal native apps that run on Android, iOS, and the web.
