OAuth Implementation Flaw Puts Millions of Websites at Risk of XSS Attacks

• Researchers at Salt Security have uncovered security flaws in Hotjar’s web analytics services that could threaten millions of websites.
• The OAuth flaw potentially allows malicious actors to leverage cross-site scripting (XSS) to access sensitive data in targeted devices.

Researchers at Salt Security recently highlighted a critical flaw affecting over a million websites. Cross-site scripting (XSS) combined with OAuth increases the chances of exposure to sensitive data. XSS typically allows attackers to run malicious scripts in the browsers of targeted devices.

XSS is a standard web security issue that allows attackers to inject malicious scripts into web pages viewed by other users. Over the years, developers have implemented various mitigations, such as modern web frameworks, input sanitization, Content Security Policy, and HTTP-Only cookies, which have largely eliminated XSS issues.

However, the newly discovered issue has raised significant concerns over the adequacy of these security measures. Essentially, the attack forges and intercepts login processes and obtains legitimate login secrets.

The attack requires a crafted link to Google to mimic a Hotjar social login attempt. However, a request for a code token is sent to prevent a once-only code from being used. This is followed by social engineering strategies to persuade victims to click a false link and start the attack.

See More: US Government Indicts North Korean Hacker Rim Jong Hyok, Offers $10M Reward

The XSS Vulnerability

Salt Labs researchers discovered that attackers could circumvent conventional XSS defenses by leveraging OAuth. The research primarily focused on Hotjar, a widely used analytics service. Despite Hotjar implementing robust security practices, researchers have found that combining XSS with OAuth could lead to the takeovers of Hotjar accounts.

Hotjar records user interactions and captures sensitive data, such as names, addresses, emails, banking details, private messages, and credentials. Researchers have identified a flaw in which a malicious URL could exploit OAuth to gain unauthorized access. This issue has been resolved but underscores the need for continuous security monitoring.

The implications of the vulnerability are wide-ranging. Websites using OAuth for authentication are particularly susceptible. These include websites of prominent companies such as Microsoft, Adobe, Columbia, Panasonic, Decathlon, RyanAir, Nintendo, T-Mobile, and many others.

Hotjar followed all current best practices to prevent XSS attacks, which should have prevented typical attacks. However, it also uses OAuth to allow social logins. Consequently, the flaw could be exploited to take over accounts and steal sensitive data. Since such safeguards are used by millions of websites worldwide, this highlights the need for updated security measures.

Mitigation Measures

• Manual input sanitization and encoding output: Users should regularly sanitize and encode user inputs to prevent the execution of unauthorized scripts.
• Modern web frameworks: One should leverage frameworks like React and Angular, which offer in-built protections against XSS.
• HTTP-Only cookies: Organizations should ensure cookies are set with HTTP-Only attributes to prevent access via JavaScript.
• Content security policy: Content security policy should be defined and enforced to restrict sources of executable scripts.

Takeaways

The evolution of web security has resulted in the need for vigilance and proactive measures. The combination of new technologies such as OAuth and old vulnerabilities like XSS has revealed threats to websites. The issue is not a problem with OAuth itself but with its implementation. Since this vulnerability cannot be patched centrally, organizations should stay updated with security practices to protect sensitive data.

LATEST NEWS STORIES

• X Is Quietly Training Grok With Your Posts, Here’s How You Can Opt Out
• CrowdStrike Outage to Cost Billions, Insurance Estimates Reveal
• Microsoft and OpenAI Incorporate Artificial Intelligence Features in Search Engines
• Mimecast Acquires Code42