A security flaw in the implementation of the Open Authorization (OAuth) standard, which is widely used by websites and applications to connect to platforms like Facebook, Google, Apple, and Twitter, could enable attackers to hijack user accounts, access or leak sensitive data, and even commit financial fraud. OAuth is employed when a user logs into a website and selects an option to log in using another social media account, such as 'Log in with Facebook' or 'Log in with Google.' This feature is commonly used for cross-platform authentication.
Salt Labs, a team from API security firm Salt Security, discovered the vulnerability, identified as CVE-2023-28131, in the OAuth implementation of Expo, an open-source framework for building native mobile apps for iOS, Android, and other web platforms using a single codebase. The flaw could potentially impact any user who uses various social media accounts to log into an online service that uses the framework, as revealed in a blog post published on May 24.
This vulnerability is the second and more significant one that Salt researchers have discovered in an online platform's implementation of OAuth, which is proving to be a challenging standard to implement securely. In March, Salt found a flaw in Booking.com's implementation of OAuth that could have allowed attackers to hijack user accounts and gain full access to their personal or payment card data, as well as log into accounts on sister platform Kayak.com. The flaw in Expo could have had a much broader impact than the Booking.com flaw due to Expo's extensive install base. Aviad Carmel, a Salt security researcher, states, 'Because this second OAuth vulnerability was discovered in a third-party framework used by hundreds of companies, the potential exposure was far greater. It could have impacted the OAuth implementations of hundreds of websites and apps.'
Furthermore, OAuth is becoming a standard authentication method in modern service-based architectures and emerging artificial intelligence (AI)-based platforms. This inherently means that any vulnerabilities in OAuth implementations have a wide reach. In other research unveiled on May 24, software-as-a-service (SaaS) security firm DoControl revealed that 24 percent of third-party AI apps require risky OAuth permissions. Expo patched CVE-2023-28131 within hours after Salt researchers reported the issue, and developers maintaining the platform recommended in a blog post detailing the flaw that customers update their Expo deployments to fully mitigate the risk.
However, the growing list of OAuth vulnerabilities and the overall complexity of correctly configuring the standard suggest that more websites and apps could have undiscovered flaws lurking beneath their surface. The findings also demonstrate how enterprises are negatively and broadly affected when third-party frameworks introduce API vulnerabilities into their environment, often without their knowledge. This puts customers at risk for credential leaks or account takeover and provides threat actors with a platform from which to launch additional attacks, according to the researchers.
When a user clicks on an OAuth-enabled link to log in to Site A with a social media account, Site A will then open a new window to Facebook, Google, or another trusted account being used. If it's the user's first time visiting Site A, the social media page will ask for permission to share details with Site A. If the user has gone through the process before, the social media site will automatically authenticate the user to Site A. Salt Labs researchers discovered CVE-2023-28131 in Codeacademy.com, an online platform that offers free coding classes across a dozen programming languages. Companies such as Google, LinkedIn, Amazon, Spotify, and others use the site to help train employees, and the site has around 100 million users. The researchers ultimately exploited the flaw to gain complete control of Codeacademy.com accounts.
The vulnerability in the OAuth implementation within Expo is related to the social sign-in process, as Carmel explains. 'When users sign in using their Facebook or Google credentials, Expo acts as an intermediary and transfers the user's credentials to the target website,' he says. Attackers could have exploited CVE-2023-28131 by intercepting this flow and manipulating Expo to send the user credentials to a malicious domain instead of the intended destination. This exploitation could have led to personal data leaks or even financial fraud if attackers used credentials to log into users' financial accounts. Threat actors also could potentially have performed actions on behalf of users on their social media accounts, according to Carmel.
OAuth's popularity stems from its ability to provide a seamless user experience when interacting with frequently used websites. However, its complex, technical back-end can lead to implementation mistakes, creating security gaps that are ripe for exploitation, as the researchers noted. To secure an OAuth implementation, an organization must understand how OAuth functions and which endpoints can receive user inputs. Carmel advises, 'Attackers may attempt to manipulate these inputs, so validating each one is essential. This can be achieved by maintaining a whitelist of predetermined values or implementing other strict validation methods.' Due to the complexity of OAuth implementations, Salt Security plans to release a best-practice guide in the future to help enterprises secure their OAuth implementations effectively, Carmel adds.