Security News > 2023 > May > Critical OAuth Vulnerability in Expo Framework Allows Account Hijacking
A critical security vulnerability has been disclosed in the Open Authorization implementation of the application development framework Expo.io.
API security firm Salt Labs said the issue rendered services using the framework susceptible to credential leakage, which could then be used to hijack accounts and siphon sensitive data.
It's worth noting that for the attack to be successful, sites and applications using Expo should have configured the AuthSession Proxy setting for single sign-on using a third-party provider such as Google and Facebook.
Put differently, the vulnerability could be leveraged to send the secret token associated with a sign-in provider to an actor-controlled domain and use it to seize control of the victim's account.
"The vulnerability would have allowed a potential attacker to trick a user into visiting a malicious link, logging in to a third-party auth provider, and inadvertently revealing their third-party auth credentials," Expo's James Ide said.
Back in March 2023, also revealed an unauthenticated, stored cross-site scripting vulnerability impacting LibreNMS versions 22.10.0 and prior that could be exploited to gain remote code execution when Simple Network Management Protocol is enabled.
News URL
https://thehackernews.com/2023/05/critical-oauth-vulnerability-in-expo.html
Related news
- GitLab warns of critical pipeline execution vulnerability (source)
- SolarWinds Issues Patch for Critical ARM Vulnerability Enabling RCE Attacks (source)
- Critical Ivanti Cloud Appliance Vulnerability Exploited in Active Cyberattacks (source)
- CISA Flags Critical Ivanti vTM Vulnerability Amid Active Exploitation Concerns (source)
- PoC for critical SolarWinds Web Help Desk vulnerability released (CVE-2024-28987) (source)
- That doomsday critical Linux bug: It's CUPS. Could lead to remote hijacking of devices (source)
- That doomsday critical Linux bug: It's CUPS. May lead to remote hijacking of devices (source)
- Critical NVIDIA Container Toolkit Vulnerability Could Grant Full Host Access to Attackers (source)
- Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519) (source)
- Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password Vulnerability (source)