SALT Finds Login Bug in Expo Authentication Process
Researchers at the web coding security company SALT recently found an authentication bug termed as CVE-2023-28131 in the app-building toolkit, Expo, used by many popular online services. The bug was found in Expo’s Open Authorization Framework (OAUTH) service, which lets users access private data in an online service by indirectly authenticating via their Facebook or Google account. The bug was caused by Expo’s code failing inappropriately, and it could be triggered by maliciously subverting the authentication brokerage process.
The Buggy Authentication Process Explained
The process of an OAUTH style login via your Facebook account to a third-party site, such as example.com, initializes with site example.com requesting to get a magic access token from Facebook via your browser. Then you visit a special Facebook URL, logging in if you haven’t already and request Facebook to issue an access token for example.com. If Facebook authenticates the request, it sends across an access token, which site example.com can use to authorize the user.
Expo adds a wrapper around the verification process and handles authentication and validation on behalf of users, passing a magic access token to the desired website. Expo’s handling of the verification is packed into a big URL that’s submitted to the Expo service. One of these parameters, a web cookie called ru (short for returnURL), is stored temporarily and specifies where the final magic security token will be sent to enable access.
The Expo Authentication Bug Explained
The SALT researchers found that they could subvert the login process by using JavaScript in the client-side code to access the initial Expo login URL but kill the verification popup before the user had time to read or approve it. At this point, Expo’s service had already set a cookie named ru to tell it where to call back with your magic access token. They thus tricked Expo’s code into remembering a return URL such as https://roguesite.example, without the attack victim ever noticing it.
Researchers then used another chunk of JavaScript code to simulate Expo’s redirect to Facebook’s verification process. Facebook’s verification redirects the process back into Expo’s own JavaScript code, which trustingly but erroneously grabs the unvalidated return URL for its callback from that magic ru cookie set at the start without the victim’s knowledge or approval.
Fail Open or Fail Closed?
This vulnerability occurred because Expo’s code failed inappropriately. Authentication code should generally fail closed, meaning the process should not succeed unless some sort of active approval has been signalled. Expo’s initial login code was modified to only set that magic ru cookie after users had explicitly approved the returnURL.
Editorial
The Expo Authentication Bug only highlights the importance of strengthening the security mechanisms around the OAUTH authentication framework, which is being widely used across online services. The attackers are finding increasingly sophisticated ways to circumvent the verification processes leading to the exposure of user data. The Expo Authentication Bug could have exposed the entire authentication process to cybercriminals, raising serious security concerns.
Recommendations
- Disclose responsibly when reporting and writing up bugs, giving the vendor a reasonable time to fix the vulnerability before publishing details that would allow others to create an exploit of their own.
- Ensure that your authentication code fails closed.
- Ensure that verification or approval steps cannot be neutralised simply by ignoring or cancelling them.
- Logout of web accounts when you aren’t actively using them.
<< photo by Suzanne D. Williams >>
You might want to read !
- The Growing Shadow of Undetected Cyber Attacks in the Middle East
- The Impact of LockBit Attack on MCNA Dental: An Editorial Review
- US intelligence agencies turn to cyber psychology to combat criminal hackers
- “Why PyPI’s Mandatory 2FA for Maintainers is a Positive Step in Enhancing Security”
- The Risks Lurking in Your Wearable: A Look at Device Safety.
- “Revolutionizing TLS Certificate Management: Google Cloud’s New Automation Capability”
- Why the Pentagon Leaks Highlight the Urgency of Ensuring a Reliable Workforce
- The Risks of Using Fingerprint Authentication: New BrutePrint Attack Lets Attackers Unlock Smartphones
- How Phishers are Using .ZIP Domains to Lure in Victims.
- The Significance of Data Breach Notifications: Analyzing Apria Healthcare’s Notification to 2 Million People of Years-Old Data Breaches.
- Exploring the Security Implications of the Google CloudSQL Service Vulnerability
- Iran-Linked Hackers Use Moneybird Ransomware in Attacks Against Israeli Entities
- Risks and Remedies: Assessing the Implications of Multiple Vulnerabilities in PrinterLogic Enterprise Software
- How the Buhti Ransomware is Targeting Organizations Worldwide
- Exploring the State of Cybersecurity: Top Cyberattacks Unveiled in Latest Threat Intelligence Report
- “Ensuring Security in the Software Supply Chain: Red Hat’s Latest Initiative”