CVE-2023-28131: 
Expo vulnerability analysis and mitigation

A critical vulnerability (CVE-2023-28131) was discovered in the Expo.io framework's OAuth implementation, specifically affecting the AuthSession Proxy functionality. The vulnerability, which received a CVSS score of 9.6 (Critical), was discovered in February 2023 and allows attackers to take over accounts and steal credentials from applications and websites that configured the 'Expo AuthSession Redirect Proxy' for social sign-in (Dark Reading, Hacker News).

The vulnerability exists in the OAuth implementation within Expo's social sign-in process. When users authenticate using Facebook or Google credentials, Expo acts as an intermediary that transfers user credentials to the target website. The flaw allowed attackers to manipulate this flow by intercepting it and redirecting user credentials to a malicious domain instead of the intended destination. The issue specifically occurred because auth.expo.io stored an app's callback URL before the user explicitly confirmed they trusted the callback URL (Dark Reading).

The vulnerability's impact was potentially widespread due to Expo's large install base, affecting hundreds of websites and applications. The flaw could lead to account takeovers, sensitive data leaks, potential financial fraud through compromised credentials, and unauthorized actions performed on behalf of users on various platforms such as Facebook, Google, or Twitter. Researchers demonstrated the vulnerability's severity by successfully gaining complete control of Codecademy.com accounts, a platform used by major companies including Google, LinkedIn, Amazon, and Spotify (Dark Reading).

Expo addressed the vulnerability within hours of its discovery on February 18, 2023, by deploying a hotfix that requires users to explicitly confirm they trust unverified callback URLs. The company has since deprecated the AuthSession module's useProxy options in SDK 48 and the auth.expo.io service. Developers are recommended to migrate from using AuthSession API proxies to directly registering deep link URL schemes with third-party authentication providers for SSO features (Expo Blog).

According to Expo's analysis of their access logs, there was no evidence of the vulnerability being exploited in the wild before it was patched. The discovery highlighted the broader challenges in implementing OAuth securely, with Salt Security planning to release a best-practice guide to help enterprises secure their OAuth implementations effectively (Dark Reading).