Security advisory for developers using AuthSession’s “useProxy” options and auth.expo.io
Migrate from useProxy, deprecated as of SDK 48, to using your app’s own links directly. While there is no urgent issue, this migration improves security and reliability. This post addresses CVE-2023–28131.
Today, we are recommending developers using the AuthSession module’s useProxy options to migrate to using deep links with third-party authentication providers directly, which is more secure and reliable. The reason for this change is two-fold.
Firstly, security researchers at Salt Labs let us know last Friday about a potential vulnerability with the AuthSession proxy (auth.expo.io). This issue was fixed within a few hours of the report and we found no evidence of a breach. There is no urgent need to migrate. However, we believe it is more secure for apps to directly register their own links with third-party auth providers, rather than to use an intermediate service.
Secondly, direct links have been more reliable than the auth session proxy due to how browsers have changed their cookie policies over the past few years, which sometimes caused end users with strict browser settings to be unable to log in with third-party auth providers. For these two reasons, we have deprecated the AuthSession module’s useProxy options in SDK 48, as well as the auth.expo.io service.
Security
The vulnerability reported by Salt Labs has been mitigated and there is no urgent need to migrate. We deployed a hotfix a few hours after learning about the issue.
The vulnerability would have allowed a potential attacker to trick a user into visiting a malicious link, logging in to a third-party auth provider, and inadvertently revealing their third-party auth credentials. This was because auth.expo.io used to store an app’s callback URL before the user explicitly confirmed they trust the callback URL. After the hotfix, auth.expo.io now requires users to confirm they trust unverified callback URLs. In addition to mitigating the issue, we analyzed our access logs and to the best of our knowledge believe there has been no breach and this vulnerability was never exploited.
However, we recommend developers migrate to using their app’s own links directly. While the surface area of auth.expo.io is small, the surface area of using no intermediate service is even smaller. And, as previously mentioned, direct links also work more reliably on devices with stricter browser configurations.
Reliability
Due to web browser changes like WebKit’s Tracking Prevention, the AuthSession proxy service may not work reliably in edge cases such as when a user’s device is configured to block cookies or prevent cross-site tracking. The AuthSession proxy service does not track nor collect any user data but it requires cookies to correctly redirect back to your app after the user has authenticated with the third-party auth provider. The proxy also does not work if the browser’s settings or heuristics block cookies. In contrast, configuring a third-party authentication provider to redirect directly to your app’s deep link does not have these issues.
Migration steps
Follow this migration guide to learn how to switch from using useProxy and auth.expo.io to using your app’s own links. If you are using Expo Go to develop, you will need to create a development build of your own app in order to customize your deep link URL schemes.
Questions
Let us know how we can help by reaching out to us on Discord or through the website.
