A vulnerability in the implementation of the Open Authorization (OAuth) standard that websites and applications use to connect to Facebook, Google, Apple, Twitter, and more could allow attackers to take over user accounts, access and/or leak sensitive information, and even commit financial fraud.
OAuth comes into play when a user logs in to a website and clicks on a link to log in with another social media account, such as “Log in with Facebook” or “Log in with Google” — a feature that many sites use to allow cross-platform authentication. A team from API security firm Salt Security’s Salt Labs discovered the flaw, tracked as CVE-2023-28131, in the OAuth implementation in Expo, an open source framework for developing native mobile apps for iOS, Android, and other Web platforms using a single codebase.
Specifically, the flaw potentially could affect any users that use various and social media accounts to log into an online service that uses the framework, the researchers revealed in a blog post published May 24.
The vulnerability is the second — and more impactful — one that Salt researchers have found in an online platform’s implementation of OAuth, which is proving to be a tricky standard to implement securely. In March, Salt discovered a flaw in Booking.com’s implementation of OAuth that could have allowed attackers to take over user accounts and gain full visibility into their personal or payment-card data, as well as log in to accounts on the website’s sister platform, Kayak.com.
Third-Party Risk With OAuth Implementation
The flaw in Expo could have had a much wider impact than the Booking.com flaw, because of Expo’s wide install base, Aviad Carmel, Salt security researcher, tells Dark Reading.
“Because this second OAuth vulnerability was discovered in a third-party framework used by hundreds of companies, the potential exposure was far greater,” he says. “It could have impacted the OAuth implementations of hundreds of websites and apps.”
Moreover, OAuth is becoming a de facto authentication standard in modern service-based architectures, as well as in emerging artificial intelligence (AI)-based platforms. This inherently means any vulnerabilities in OAuth implementations have a broad reach. In fact, in other research unveiled May 24, software-as-a-service (SaaS) security firm DoControl revealed that 24 percent of third-party AI apps require risky OAuth permissions.
Expo patched CVE-2023-28131 within hours after Salt researchers flagged the issue, and developers maintaining the platform recommended in a blog post detailing the flaw that customers update their Expo deployments to fully mitigate the risk.
However, the mounting list of OAuth vulnerabilities and the overall complexity of correctly configuring the standard that they highlight suggest that more websites and apps could have undiscovered flaws lurking beneath their surface.
The findings also demonstrate how enterprises are adversely and broadly affected when third-party frameworks introduce API vulnerabilities into their environment, often without them knowing. This puts customers at risk for credential leaks or account takeover, and gives threat actors a platform from which to launch further attacks, the researchers said.
Exploiting the Expo Flaw
When a user clicks on an OAuth-enabled link to log in to Site A with a social media account, Site A will then open a new window to Facebook, Google, or whatever trusted account is being used. If it’s the user’s first time visiting Site A, the social media page will ask for permission to share details with Site A. If the user has gone through the process before, the social media site will automatically authenticate the user to Site A.
Salt Labs researchers discovered CVE-2023-28131 in Codeacademy.com, an online platform that offers free coding classes across a dozen programming languages. Companies including Google, LinkedIn, Amazon, Spotify, and others use the site to help train employees, and the site has around 100 million users. The researchers ultimately exploited the flaw to gain complete control of Codeacademy.com accounts, they said.
The vulnerability in the OAuth implementation within Expo relates to the social sign-in process, Carmel tells Dark Reading. “When users sign in using their Facebook or Google credentials, Expo acts as an intermediary and transfers the user’s credentials to the target website,” he says.
Attackers could have exploited CVE-2023-28131 by intercepting this flow and manipulating Expo to send the user credentials to a malicious domain instead of the intended destination, Carmel explains.
This exploitation could have led to leaks of personal data or even financial fraud if attackers used credentials to log into users’ financial accounts. Threat actors also could potentially have performed actions on behalf of users on their social media accounts, Carmel says.
Why OAuth Is Tricky
OAuth’s popularity stems from how it can provide a much more seamless user experience for people when interacting with frequently used websites. However, it has a complex, technical back-end that can lead to implementation mistakes, creating security gaps that are ripe for exploitation, the researchers said.
To secure an OAuth implementation, then, an organization must understand how OAuth functions and which endpoints can receive user inputs, Carmel says.
“Attackers may attempt to manipulate these inputs, so validating each one is essential,” he advises. “This can be achieved by maintaining a whitelist of predetermined values or implementing other strict validation methods.”
Because of how complex OAuth implementations are proving to be, Salt Security plans to release a best-practice guide in the future to help enterprises security their OAuth implementations effectively, Carmel adds.