OAuth & XSS Vulnerabilities - A Major Threat to Millions
An attack flow that combines API flaws within “log in with” implementations and web injection bugs could affect millions of websites. This sophisticated exploitation strategy, leveraging OAuth and XSS vulnerabilities, has been identified in widely-used services like Hotjar and Business Insider, exposing sensitive user data and risking full account takeovers.
The Threat Landscape
Critical Flaws Discovered
Salt Security’s Salt Labs recently unveiled security flaws in the Hotjar service, which tracks and records web user activity, and the popular Business Insider website. These vulnerabilities, when exploited together, can allow attackers to act as legitimate users, accessing sensitive data and performing malicious activities on over a million websites.
Hotjar, a tool that complements Google Analytics by recording user activity, is used by over a million websites, including major brands like Adobe, Microsoft, and Nintendo. The nature of Hotjar’s data collection includes vast amounts of personal and sensitive information, making these vulnerabilities particularly dangerous.
OAuth and XSS: A Lethal Combination
OAuth is a widely adopted standard for cross-website authentication, powering “log in with” functionalities like those of Facebook and Google. Misconfigurations in OAuth implementations can create serious vulnerabilities, while XSS (Cross-Site Scripting), one of the oldest web vulnerabilities, allows attackers to inject malicious scripts into legitimate web pages.
Combining these two vulnerabilities, attackers can gain the same permissions as the victim, posing severe risks. According to Yaniv Balmas, Vice President of Research at Salt Security, the threat is significant as the attacker can perform any action the legitimate user can.
Case Studies: Hotjar and Business Insider
Hotjar
Salt Labs identified an XSS flaw in Hotjar’s social login feature, which uses OAuth. By manipulating the OAuth flow, attackers can extract the secret token from the URL. This token allows them to take over the victim’s account, exposing all data collected by Hotjar, which includes personal messages, bank details, and other sensitive information.
- OAuth Login Manipulation: Attackers start a new OAuth login flow in a separate window.
- Token Extraction: JavaScript reads the secret token from the new tab’s URL.
- Account Takeover: The attacker uses the victim’s token to authenticate and gain control over the account.
Business Insider
The Business Insider vulnerability was similarly severe. The website’s mobile authentication, which uses OAuth, can be exploited via XSS to read the credentials from the URL, allowing full account takeover.
- XSS Exploit: Inject malicious JavaScript to start the OAuth login flow.
- Credential Extraction: Extract the credentials from the URL after authentication.
- Account Takeover: Use the credentials to access and control the victim’s account.
The Broader Implications
Salt Labs warns that these vulnerabilities are likely widespread across numerous websites due to the common use of OAuth and the prevalence of XSS issues. This means millions of unsuspecting users could be at risk of account takeovers.
Mitigation Strategies
For Developers
- Sanitize Inputs and Encode Outputs: Ensure user inputs are sanitized, and outputs are encoded to prevent XSS.
- Use Modern Web Frameworks: Leverage frameworks like React or Angular, which offer built-in XSS protections.
- Implement HTTP-Only Cookies: This prevents JavaScript from accessing cookies, mitigating the risk of cookie theft.
- Deploy Content Security Policy (CSP): Specify safe sources for content, blocking unauthorized scripts.
For Users
- Exercise Caution with Links: Be wary of clicking links, even from trusted sources.
- Enable Two-Factor Authentication: Adds an additional layer of security to your accounts.
Conclusion
The combination of OAuth and XSS vulnerabilities presents a significant threat to web security. As demonstrated by the Hotjar and Business Insider cases, even well-secured services can have critical flaws that expose millions of users to risk. Developers and users alike must remain vigilant and proactive in implementing and following security best practices to mitigate these threats.