Salt Security, a leading API security company, has released new threat research revealing several critical security flaws in Expo, a framework used by developers to build mobile applications for iOS, Android, and web platforms using a single codebase. The research carried out by Salt Labs has detected vulnerabilities in the Open Authorization (OAuth) social-login functionality deployed by Expo, which has the potential to put at risk any user logging into a website or application built using the Expo framework through their Facebook, Google, Apple, or Twitter accounts.
The risk identified could allow bad actors to manipulate platform users and take complete control of their accounts. It could also have enabled credential leakage, exposing personal identifiable information (PII) and other sensitive user data stored by these sites, which could lead to identity theft and financial fraud. The Salt Labs research has recommended that organisations deploy corrective measures to secure their platforms and safeguard users’ data.
The faults detected have been assigned a Common Vulnerabilities and Exposures (CVE) identifier, CVE-2023-28131. The research team has coordinated its discovery with Expo by following established disclosure practices. Expo has issued a patch for all issues, and investigations so far have found no evidence of misconduct in the wild.
OAuth is an industry-standard protocol that allows users to simplify the user registration and authentication process by leveraging a ‘one-click’ social media login to access multiple sites. However, the complexity of the technical backend it uses can open up implementation faults that create loopholes leading to security breaches. The findings underline how enterprises are open to a wide range of API security vulnerabilities, particularly from third-party frameworks, which potentially could affect the implementation of hundreds of sites and applications.
Salt Security’s API security research experts are warning businesses to carry out periodic audits of their API security and to be aware of the risks associated with OAuth. The company continues to educate businesses through its public forum, Salt Labs, for API security education and monitoring.
Yaniv Balmas, Vice President of Research at Salt Security says, “Security vulnerabilities can happen on any website – it’s the response that matters. With OAuth rapidly becoming the industry standard, bad actors are tirelessly at work to find security vulnerabilities within it. Mis-implementation of OAuth can have a significant impact on both companies and customers as they leave precious data exposed, and organisations must stay on the pulse of security risks that exist within their platforms.”
Salt Security’s research has brought to light the increasing threat from API vulnerabilities, urging organisations to adopt best practices in securing their systems. The significant risk posed by OAuth, as shown by the Expo research, highlights the need for collaboration between API security companies, framework providers, and organisations to ensure that APIs are protected from exploitation by cybercriminals.