"API Bug in OAuth Dev Tool Opened Websites, Apps to Account Hijacking"

A critical Application Programming Interface (API) vulnerability in the Expo open source framework enabled the harvesting of auth credentials via the Open Authorization (OAuth) protocol. According to researchers at Salt Labs, the vulnerability, while affecting a relatively small number of developers, could have impacted many users logging into online services such as Facebook, Twitter, or Spotify via the open source framework. A successful attack could have let an adversary take over accounts and steal credentials on a mobile app or website configured to use the Expo AuthSession Redirect Proxy. A victim could have triggered an attack by clicking on a malicious link. Developers use Expo (auth.expo.io) to create native apps for iOS, Android, and web platforms with a single set of tools, libraries, and services. It is regarded as an efficient method to accelerate the application development process. According to Salt Labs, the vulnerability may affect hundreds of companies using Expo, including Codecademy. However, researchers emphasize the small surface area of auth.expo.io, which reduces the number of social sign-on instances involved. This article continues to discuss the potential manipulation of steps in the OAuth sequences via the Expo API to hijack sessions and take over accounts. 

SC Media reports "API Bug in OAuth Dev Tool Opened Websites, Apps to Account Hijacking"