Critical OAuth-XSS Flaw Exposes Millions to Data Breaches via Hotjar and Other Sites
July 30, 2024Salt Security's Salt Labs has reported a significant vulnerability that combines OAuth manipulation with cross-site scripting (XSS), potentially allowing attackers to gain unauthorized access to sensitive user data across millions of websites.
One of the most concerning instances of this vulnerability was found in the web analytics platform Hotjar, which tracks user activity for over a million websites and collects personal data such as names, emails, and bank details.
The exploitation method involved manipulating Hotjar's OAuth social login feature, redirecting users to Google for authentication, which allowed attackers to extract sensitive OAuth credentials.
This combination of XSS and OAuth can lead to account takeovers, as attackers can manipulate the OAuth authentication flow and read OAuth tokens from malicious URLs.
Salt Labs indicated that attackers could easily take full control of a user's account through a simple phishing link, which could be disseminated via email or social media.
In light of these vulnerabilities, users are advised to exercise caution when clicking on links, even those that appear to come from trusted sources.
Salt Labs believes that similar vulnerabilities are likely present on many other sites due to inadequate OAuth implementation practices, putting millions of users at risk.
To combat these threats, Salt Labs has released a free scanner tool to help website owners identify potential OAuth XSS vulnerabilities.
Mitigation strategies for XSS include manual input sanitization, using modern web frameworks, implementing HTTP-only cookies, and enforcing Content Security Policy (CSP).
This incident serves as a wake-up call for the industry to reassess security measures against evolving threats, especially as reliance on online services continues to increase.
The article concludes with an invitation to read the next part of the series, which will explore another company's vulnerabilities related to XSS and OAuth.
Summary based on 4 sources
Get a daily email with more Tech stories
Sources
Dark Reading • Jul 29, 2024
OAuth+XSS Attack Threatens Millions of Web Users With Account TakeoverSecurityWeek • Jul 29, 2024
Millions of Websites Susceptible XSS Attack via OAuth Implementation FlawSecurity Boulevard • Jul 29, 2024
Over 1 Million websites are at risk of sensitive information leakage - XSS is dead. Long live XSSHackread - Latest Cybersecurity, Tech, Crypto & Hacking News • Jul 29, 2024
XSS and OAuth Combo Threatens Millions of Users Due to Hotjar Flaw