This post details issues identified in Expo, a popular framework many online services use to implement OAuth (as well as other functionality). The vulnerability in the expo-auth-session library warranted a CVE assignment – CVE-2023-28131. Expo created a hotfix within the day that automatically provided mitigation, but Expo recommends that customers update their deployment to deprecate this service to remove the risk entirely (see the Expo security advisory on the topic).
The vulnerability has been discovered by researchers at Salt Security, leading to credentials leakage, and allowing:
Full account takeover, leading to identity theft, financial fraud, access to credit cards, and more.
In certain cases, it also allows a malicious actor to perform actions on behalf of a compromised user on Facebook, Google, Twitter, and other online platforms.
Please note this is specific to Expo, a react framework, and is not a vulnerability with OAth
This post was created with our nice and easy submission form. Create your post!
GIPHY App Key not set. Please check settings