Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-28131: Security advisory for developers using AuthSession’s “useProxy” options and auth.expo.io

A vulnerability in the expo.io framework allows an attacker to take over accounts and steal credentials on an application/website that configured the “Expo AuthSession Redirect Proxy” for social sign-in. This can be achieved once a victim clicks a malicious link. The link itself may be sent to the victim in various ways (including email, text message, an attacker-controlled website, etc).

CVE
#vulnerability#web#auth#webkit

Migrate from useProxy, deprecated as of SDK 48, to using your app’s own links directly. While there is no urgent issue, this migration improves security and reliability.

Today, we are recommending developers using the AuthSession module’s useProxy options to migrate to using deep links with third-party authentication providers directly, which is more secure and reliable. The reason for this change is two-fold.

Firstly, security researchers at Salt Labs let us know last Friday about a potential vulnerability with the AuthSession proxy (auth.expo.io). This issue was fixed within a few hours of the report and we found no evidence of a breach. There is no urgent need to migrate. However, we believe it is more secure for apps to directly register their own links with third-party auth providers, rather than to use an intermediate service.

Secondly, direct links have been more reliable than the auth session proxy due to how browsers have changed their cookie policies over the past few years, which sometimes caused end users with strict browser settings to be unable to log in with third-party auth providers. For these two reasons, we have deprecated the AuthSession module’s useProxy options in SDK 48, as well as the auth.expo.io service.

Security

The vulnerability reported by Salt Labs has been mitigated and there is no urgent need to migrate. We deployed a hotfix a few hours after learning about the issue.

The vulnerability would have allowed a potential attacker to trick a user into visiting a malicious link, logging in to a third-party auth provider, and inadvertently revealing their third-party auth credentials. This was because auth.expo.io used to store an app’s callback URL before the user explicitly confirmed they trust the callback URL. After the hotfix, auth.expo.io now requires users to confirm they trust unverified callback URLs. In addition to mitigating the issue, we analyzed our access logs and to the best of our knowledge believe there has been no breach and this vulnerability was never exploited.

However, we recommend developers migrate to using their app’s own links directly. While the surface area of auth.expo.io is small, the surface area of using no intermediate service is even smaller. And, as previously mentioned, direct links also work more reliably on devices with stricter browser configurations.

Reliability

Due to web browser changes like WebKit’s Tracking Prevention, the AuthSession proxy service may not work reliably in edge cases such as when a user’s device is configured to block cookies or prevent cross-site tracking. The AuthSession proxy service does not track nor collect any user data but it requires cookies to correctly redirect back to your app after the user has authenticated with the third-party auth provider. The proxy also does not work if the browser’s settings or heuristics block cookies. In contrast, configuring a third-party authentication provider to redirect directly to your app’s deep link does not have these issues.

Migration steps

Follow this migration guide to learn how to switch from using useProxy and auth.expo.io to using your app’s own links. If you are using Expo Go to develop, you will need to create a development build of your own app in order to customize your deep link URL schemes.

Questions

Let us know how we can help by reaching out to us on Discord or through the website.

Related news

Azure AD 'Log in With Microsoft' Authentication Bypass Affects Thousands

The "nOAuth" attack allows cross-platform spoofing and full account takeovers, and enterprises need to remediate the issue immediately, researchers warn.

Critical OAuth Vulnerability in Expo Framework Allows Account Hijacking

A critical security vulnerability has been disclosed in the Open Authorization (OAuth) implementation of the application development framework Expo.io. The shortcoming, assigned the CVE identifier CVE-2023-28131, has a severity rating of 9.6 on the CVSS scoring system. API security firm Salt Labs said the issue rendered services using the framework susceptible to credential leakage, which could

OAuth Flaw in Expo Platform Affects Hundreds of Third-Party Sites, Apps

A cybersecurity vulnerability found in an implementation of the social login functionality opens the door to account takeovers and more.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907