Security News > 2023 > May > Critical OAuth Vulnerability in Expo Framework Allows Account Hijacking

A critical security vulnerability has been disclosed in the Open Authorization implementation of the application development framework Expo.io.
API security firm Salt Labs said the issue rendered services using the framework susceptible to credential leakage, which could then be used to hijack accounts and siphon sensitive data.
It's worth noting that for the attack to be successful, sites and applications using Expo should have configured the AuthSession Proxy setting for single sign-on using a third-party provider such as Google and Facebook.
Put differently, the vulnerability could be leveraged to send the secret token associated with a sign-in provider to an actor-controlled domain and use it to seize control of the victim's account.
"The vulnerability would have allowed a potential attacker to trick a user into visiting a malicious link, logging in to a third-party auth provider, and inadvertently revealing their third-party auth credentials," Expo's James Ide said.
Back in March 2023, also revealed an unauthenticated, stored cross-site scripting vulnerability impacting LibreNMS versions 22.10.0 and prior that could be exploited to gain remote code execution when Simple Network Management Protocol is enabled.
News URL
https://thehackernews.com/2023/05/critical-oauth-vulnerability-in-expo.html
Related news
- Microsoft Patches Critical Azure AI Face Service Vulnerability with CVSS 9.9 Score (source)
- Elastic Releases Urgent Fix for Critical Kibana Vulnerability Enabling Remote Code Execution (source)
- Moxa Issues Fix for Critical Authentication Bypass Vulnerability in PT Switches (source)
- Critical PHP RCE vulnerability mass exploited in new attacks (source)
- New Critical AMI BMC Vulnerability Enables Remote Server Takeover and Bricking (source)
- IBM scores perfect 10 ... vulnerability in mission-critical OS AIX (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist (source)
- Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks (source)
- Critical Next.js auth bypass vulnerability opens web apps to compromise (CVE-2025-29927) (source)