CVE-2023-28131

Vulnerability

Analysis

CVE-2023-28131 is an OAuth implementation flaw in the Expo open-source framework that affects applications and websites using the Expo AuthSession Redirect Proxy for social sign-in (e.g., "Log in with Google/Facebook"). The bug allows an attacker to take over user accounts and steal credentials when a victim clicks a crafted malicious link, which can be delivered via email, SMS, or an attacker-controlled website [1][2].

The root cause lies in a vulnerability within the Expo framework's handling of OAuth redirects. An attacker can craft a link that, when clicked by a victim authenticated to a vulnerable application that uses Expo's AuthSession proxy, redirects authorization responses to an attacker-controlled URI, effectively hijacking the OAuth flow. This attack does not require any special privileges from the victim other than being logged in to the target service [1].

The impact is significant: an attacker can take over the victim's account on the vulnerable application, gaining access to sensitive data and potentially performing actions as the user. The flaw was discovered by Salt Security researchers, who noted that because Expo is a widely-used third-party framework, the potential exposure is broad, affecting hundreds of sites and apps [1].

At the time of disclosure, Expo developers were notified and a fix was expected to be integrated into the framework. Users of the Expo framework are advised to update their applications with the patched version as soon as it becomes available [1].