Security News > 2023 > May > Critical OAuth Vulnerability in Expo Framework Allows Account Hijacking

A critical security vulnerability has been disclosed in the Open Authorization implementation of the application development framework Expo.io.

API security firm Salt Labs said the issue rendered services using the framework susceptible to credential leakage, which could then be used to hijack accounts and siphon sensitive data.

It's worth noting that for the attack to be successful, sites and applications using Expo should have configured the AuthSession Proxy setting for single sign-on using a third-party provider such as Google and Facebook.

Put differently, the vulnerability could be leveraged to send the secret token associated with a sign-in provider to an actor-controlled domain and use it to seize control of the victim's account.

"The vulnerability would have allowed a potential attacker to trick a user into visiting a malicious link, logging in to a third-party auth provider, and inadvertently revealing their third-party auth credentials," Expo's James Ide said.

Back in March 2023, also revealed an unauthenticated, stored cross-site scripting vulnerability impacting LibreNMS versions 22.10.0 and prior that could be exploited to gain remote code execution when Simple Network Management Protocol is enabled.

News URL

https://thehackernews.com/2023/05/critical-oauth-vulnerability-in-expo.html