CVE-2023-28131 : OAuth Flaws Impact Hundreds of Online Services

This post details issues identified in Expo, a popular framework many online services use to implement OAuth (as well as other functionality). The vulnerability in the expo-auth-session library warranted a CVE assignment – CVE-2023-28131. Expo created a hotfix within the day that automatically provided mitigation, but Expo recommends that customers update their deployment to deprecate this service to remove the risk entirely (see the Expo security advisory on the topic).

The vulnerability has been discovered by researchers at Salt Security, leading to credentials leakage, and allowing:

Full account takeover, leading to identity theft, financial fraud, access to credit cards, and more.
In certain cases, it also allows a malicious actor to perform actions on behalf of a compromised user on Facebook, Google, Twitter, and other online platforms.

Please note this is specific to Expo, a react framework, and is not a vulnerability with OAth

This post was created with our nice and easy submission form. Create your post!

What do you think?

Posted by SH

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

CVE-2023-32697: An Insight into SQLite JDBC Library Exploit

Administration Console Authentication Bypass in Openfire XMPP server