A critical API flaw in the Expo open-source framework allowed attackers to harvest auth credentials via the Open Authorization (OAuth) protocol. The vulnerability, while impacting a relatively small number of developers, had the potential to impact a wide range of users logging in to online services such as Facebook, Twitter or Spotify via the open-source framework, according to the researchers at Salt Labs who found the bugs.
A successful attack could of allowed an adversary to take over accounts and steal credentials on a mobile app or website that was configured to use the Expo AuthSession Redirect Proxy. Attacks could have been triggered simply by a victim clicking on a malicious link.
Expo (auth.expo.io) is used by developers to build native apps for iOS, Android and web platforms using a single set of tools, libraries and services and considered an effective way to accelerate the development process of applications.
“The vulnerability may impact hundreds of companies using Expo, including Codecademy,” according to Salt Labs. Researchers stress “the surface area of auth.expo.io is small” thereby reducing the number of impacted social sign-on instances.
Codecademy is a popular online platform with 100 million users and offers free coding classes. “The Salt Labs team was able to exploit the Expo vulnerability on the Codecademy site to gain complete control of accounts,” wrote researchers in a May 24 blog post.
The industry-standard OAuth is used by sites and apps as a “one click” login to access sites using social media