OAuth Flaw Exposed Social Media Logins to Account Takeover
API Security , Fraud Management & Cybercrime , Social Media
A new OAuth-related vulnerability in an open-source application development framework could expose Facebook, Google, Apple and Twitter users to account takeover, personal data leakage, identity theft, financial fraud and unauthorized actions on other online platforms, security researchers said.
API security firm Salt Security discovered the security flaw in the Expo framework, which is used by many online services to implement an OAuth authentication protocol. The vulnerability, which is part of the software's social login functionality, is tracked as CVE-2023-28131.
OAuth is a standard protocol for users to grant access to their private resources on one website or application to another website or application, without sharing their login credentials. How it does this is complicated and can lead to security issues. Salt Labs researchers discovered that by changing some steps in the OAuth process on the Expo site, they could take control of other accounts and steal personal information such as credit card numbers, private messages and health records - and perform tasks online on behalf of other users.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25137774/STK115_Reddit_04.jpg)
