SECURITY
SECURITY
SECURITY
Security flaws in mobile application developer tool Expo could have exposed users
New research out today from application programming interface security startup Salt Security Inc. details significant security flaws in the Expo framework, a tool for developing mobile applications.
The Expo framework is a set of tools, libraries and services that simplifies the process of building native applications for iOS, Android and web platforms. Rather than developing separate codebases for each platform, Expo enables developers to create apps across multiple platforms using a single codebase, accelerating the development process.
The vulnerabilities in Expo were due to the improper implementation of Open Authorization, the protocol used for social media login functionality. OAuth lets users leverage a “one-click” login to access sites using their social media accounts instead of traditional user registration and username/password authentication.
While OAuth is popular with developers and users alike, Salt Security researchers note that its technical complexity can result in implementation errors that open security vulnerabilities. Salt Labs discovered that by altering specific steps in the OAuth sequence on the Expo site, it could exploit these flaws to hijack sessions, seize control of accounts, steal personal data, including credit card details and health records, and carry out actions impersonating users.
Notably, the researchers found the vulnerability in the OAuth implementation within Expo itself and with companies that had used it to design web apps, such as the popular free coding service Codecademy LLC. Companies that use Codecademy to train their employees include Google LLC, LinkedIn Inc., Amazon.com Inc. and Spotify Technology SA.
The flawed implementation potentially exposed users logging in via Facebook, Google, Apple Inc. and Twitter Inc. to various risks such as account takeover, personal data leakage, identity theft, financial fraud and unauthorized actions on other online platforms.
Upon discovering the vulnerabilities, Salt Labs followed disclosure practices and informed Expo of the issues. To its credit, Expo promptly remediated all issues and issue a common vulnerability exposure, named CVE-2023-28131. No evidence of these flaws being exploited was discovered.
The researchers conclude that the findings underscore the persistent threat of security vulnerabilities in third-party frameworks and the potentially significant impact of faulty OAuth implementation on companies and customers. The findings serve as a reminder that organizations must stay vigilant about security risks within their platforms.
Image: Salt Security
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
