Security News > 2023 > May > Serious Security: Verification is vital – examining an OAUTH login bug
Researchers at web coding security company SALT just published a fascinating description of how they found an authentication bug dubbed CVE-2023-28131 in a popular online app-building coding toolkit known as Expo.
Expo itself adds a wrapper around the verification process, so that it handles the authentication and the validation for you, ultimately passing a magic access token for the desired website back to the app or website you're connecting from.
The parameters used in handling the verification are packed into a big URL that's submitted to the Expo service.
If you approve the popup, Expo redirects you to the Facebook verification process.
The SALT researchers found that they could subvert the login process by using JavaScript code to trigger access to the initial Expo login URL, but then killing off the verification popup before you had time to read it or approve it yourself.
Then the researchers used a second chunk of JavaScript code to simulate Expo's redirect to Facebook's verification process, which would automatically succeed if you were already logged into Facebook itself.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-04-24 | CVE-2023-28131 | Insufficiently Protected Credentials vulnerability in Expo Software Development KIT 45.0.0/46.0.0/47.0.0 A vulnerability in the expo.io framework allows an attacker to take over accounts and steal credentials on an application/website that configured the "Expo AuthSession Redirect Proxy" for social sign-in. | 9.6 |