New research out today from application programming interface security startup Salt Security Inc. details significant security flaws in the Expo framework, a tool for developing mobile applications.

The Expo framework is a set of tools, libraries and services that simplifies the process of building native applications for iOS, Android and web platforms. Rather than developing separate codebases for each platform, Expo enables developers to create apps across multiple platforms using a single codebase, accelerating the development process.

The vulnerabilities in Expo were due to the improper implementation of Open Authorization, the protocol used for social media login functionality. OAuth lets users leverage a “one-click” login to access sites using their social media accounts instead of traditional user registration and username/password authentication.

While OAuth is popular with developers and users alike, Salt Security researchers note that its technical complexity can result in implementation errors that open security vulnerabilities. Salt Labs discovered that by altering specific steps in the OAuth sequence on the Expo site, it could exploit these flaws to hijack sessions, seize control of accounts, steal personal data, including credit card details and health records, and carry out actions impersonating users.

Notably, the researchers found the vulnerability in the OAuth implementation within Expo itself and with companies that had used it to design web apps, such as the popular free coding service Codecademy LLC. Companies that use Codecademy to train their employees include Google LLC, LinkedIn Inc., Amazon.com Inc. and Spotify Technology SA.

The flawed implementation potentially exposed users logging in via Facebook, Google, Apple Inc. and Twitter Inc. to various risks such as account takeover, personal data leakage, identity theft, financial fraud and unauthorized actions on other online platforms.

Upon discovering the vulnerabilities, Salt Labs followed disclosure practices and informed Expo of the issues. To its credit, Expo promptly remediated all issues and issue a common vulnerability exposure, named CVE-2023-28131. No evidence of these flaws being exploited was discovered.

The researchers conclude that the findings underscore the persistent threat of security vulnerabilities in third-party frameworks and the potentially significant impact of faulty OAuth implementation on companies and customers. The findings serve as a reminder that organizations must stay vigilant about security risks within their platforms.

Image: Salt Security