The Vulnerability of Expo Platform that Exposes Multiple Third-Party Sites and Applications to Data Risks.

OAuth Vulnerability Puts User Accounts and Sensitive Data at Risk

API security firm Salt Security’s Salt Labs recently discovered a threat to the Open Authorization (OAuth) standard that websites and applications use to connect to Facebook, Google, Apple, Twitter, and more. The vulnerability could enable attackers to take over user accounts, access and/or leak sensitive information, and commit financial fraud. It could impact users that rely on social media accounts to log into any online service using Expo, an open-source framework for developing native mobile apps for iOS, Android, or other web platforms through the use of a single codebase. The flaw, tracked as CVE-2023-28131, is the second vulnerability Salt researchers have recently found in online OAuth implementations since OAuth is a challenging standard to implement securely. In March, Salt found a flaw in Booking.com’s OAuth implementation that could compromise user accounts, personal data, and payment-card data.

Third-Party Risk With OAuth Implementation

According to Aviad Carmel, a Salt Security researcher, OAuth is becoming the authentication standard for cloud-based architectures and emerging artificial intelligence (AI)-based platforms. Basically, any vulnerability in OAuth implementations may have significant implications since it has a broad reach. Moreover, SaaS security firm, DoControl, recently unveiled that 24% of third-party AI apps require risky OAuth permissions. Expo has swiftly resolved CVE-2023-28131 after the Salt researchers flagged the issue. However, the growing list of OAuth vulnerabilities and the complexity of configuring the standard properly suggest that other websites and apps may have undisclosed vulnerability risks. Additionally, this finding shows how third-party frameworks can adversely and significantly affect businesses when they introduce API vulnerabilities even without business knowledge. Therefore, this puts customers at risk for credential leaks, account takeover, and gives cyber attackers an avenue to launch further attacks.

Exploiting the Expo Flaw

When a social media user clicks on an OAuth-enabled link to log into Site A, it will open a window to Facebook, Google, or the trusted account used. If it is the first visit to Site A, the social media site will request permission to share Site A’s details with the user. The social media site will automatically authorize the user to Site A if the process has taken place previously. The OAuth vulnerability discovered by Salt Labs relates to the social sign-in process. When users sign in with their Facebook or Google credentials, Expo acts as an intermediary and transfers the users’ credentials to the target website. Attackers could exploit the vulnerability by intercepting this flow and manipulating Expo to send the credentials to a malicious domain as opposed to the intended destination. This exploitation could cause compromised personal data or even financial fraud if hackers used the credentials to log into users’ financial accounts. Carmel highlights that the popularity of OAuth stems from its ability to provide a much more seamless user experience but adds that it has a very technical, complex back-end that leads to implementation blunders that create security gaps open for exploitation.

Protecting Against OAuth Security Flaws

For organisations to secure OAuth implementation, they have to understand how OAuth works and which endpoints can receive user inputs. Carmel advises that organisations can ensure strict validation by maintaining a whitelist of predetermined values or implementing other strict validation methods. Since the OAuth implementation is proving to be complicated, Salt Security plans to release a best-practice guide in the future to aid businesses in ensuring OAuth implementations’ security.

Editorial

The OAuth standard is a fundamental tool that facilitates the technical architecture and user experience of social media sign-ups. OAuth balances the benefits of APIs, cross-platform functionality, and user convenience simultaneously, making it a treasured tool for applications and websites. However, cascading vulnerabilities in frameworks that support OAuth highlight that such importance comes with significant risks. Third-party sites that utilise OAuth are susceptible to vulnerabilities beyond their control, which can be leveraged to compromise user accounts. Streamlined security protocols of security providers, regular vulnerability assessments, and frequent testing of APIs to ensure the robustness of OAuth implementation within an enterprise must be incorporated. Moreover, increased third-party ecosystem risks resulting from the extensive adoption of OAuth should be checked by introducing robust security controls and minimum standards concerning third-party risk assessment.

Advice

Individuals can protect their accounts by enabling two-factor authentication, switching passwords frequently, and being cautious of emails or links requesting sensitive information. Businesses, on the other hand, must implement multifactor authentication, conduct penetration testing, and enforce industry protocols across third-party providers that utilise OAuth. Moreover, the development team ought to attend additional training sessions on OAuth implementation, periodically reviewing their OAuth implementations’ security, rigorously auditing third-party environments and APIs, and proactively monitoring their environment for any signs of a breach.