A vulnerability in the implementation of the Open Authorization (OAuth) standard has been discovered by a team from API security firm Salt Security’s Salt Labs. The flaw could give attackers the ability to take over user accounts, access and/or leak sensitive information, and commit financial fraud. OAuth is used by websites and applications to connect to Facebook, Google, Apple, Twitter, and other platforms for cross-platform authentication. This vulnerability was discovered in the OAuth implementation in Expo, an open-source framework for developing native mobile apps for iOS, Android, and other platforms using a single codebase.
The vulnerability could affect any users that use various social media accounts to log into an online service that uses the framework. The flaw in Expo is the second and more significant vulnerability that Salt researchers have found in an online platform’s OAuth implementation. In March, they discovered a flaw in Booking.com’s implementation of OAuth that could have allowed attackers to take over user accounts, gain full visibility into personal or payment-card data, as well as log in to accounts on other platforms.
OAuth is becoming a de facto authentication standard in modern service-based architectures and emerging AI-based platforms. This inherently means any vulnerabilities in OAuth implementations have a broad reach. Companies like Google, LinkedIn, Amazon, and Spotify have users who use OAuth to log into their services. 24 percent of third-party AI apps require risky OAuth permissions, according to research unveiled by software-as-a-service (SaaS) security firm, DoControl.
“When users sign in using their Facebook or Google credentials, Expo acts as an intermediary and transfers the user’s credentials to the target website,” said Aviad Carmel, Salt security researcher. Attackers could exploit CVE-2023-28131 by manipulating Expo to send the user credentials to a malicious domain instead of the intended destination. This could have led to leaks of personal data or even financial fraud. Threat actors also could have performed actions on behalf of users on their social media accounts.
Salt Labs researchers discovered CVE-2023-28131 in Codeacademy.com, an online platform that offers free coding classes across a dozen programming languages. The site has around 100 million users, and companies including Google, LinkedIn, Amazon, and Spotify use it to help train their employees. The researchers ultimately exploited the flaw to gain complete control of Codeacademy.com accounts.
OAuth’s popularity stems from the fact that it provides a seamless user experience when interacting with frequently used websites, but it has a complex, technical back-end that can lead to implementation mistakes. To secure an OAuth implementation, an organization must understand how OAuth functions and which endpoints can receive user inputs. It may also be necessary to maintain a whitelist of predetermined values or implement other strict validation methods. Salt Security plans to release a best-practice guide in the future to help enterprises secure their OAuth implementations effectively.