Salt Security's Salt Labs has reported a significant vulnerability that combines OAuth manipulation with cross-site scripting (XSS), potentially allowing attackers to gain unauthorized access to sensitive user data across millions of websites.

One of the most concerning instances of this vulnerability was found in the web analytics platform Hotjar, which tracks user activity for over a million websites and collects personal data such as names, emails, and bank details.

The exploitation method involved manipulating Hotjar's OAuth social login feature, redirecting users to Google for authentication, which allowed attackers to extract sensitive OAuth credentials.

This combination of XSS and OAuth can lead to account takeovers, as attackers can manipulate the OAuth authentication flow and read OAuth tokens from malicious URLs.

Salt Labs indicated that attackers could easily take full control of a user's account through a simple phishing link, which could be disseminated via email or social media.

In light of these vulnerabilities, users are advised to exercise caution when clicking on links, even those that appear to come from trusted sources.

Salt Labs believes that similar vulnerabilities are likely present on many other sites due to inadequate OAuth implementation practices, putting millions of users at risk.

To combat these threats, Salt Labs has released a free scanner tool to help website owners identify potential OAuth XSS vulnerabilities.

Mitigation strategies for XSS include manual input sanitization, using modern web frameworks, implementing HTTP-only cookies, and enforcing Content Security Policy (CSP).

This incident serves as a wake-up call for the industry to reassess security measures against evolving threats, especially as reliance on online services continues to increase.

The article concludes with an invitation to read the next part of the series, which will explore another company's vulnerabilities related to XSS and OAuth.