By combining OAuth features with an age-old cross-site scripting (XSS) vulnerability, Salt Labs researchers were able to take over any account in HotJar and Business Insider online services.
Because HotJar serves more than 1 million websites, including, Adobe, Microsoft, T-Mobile, and Nintendo, security pros considered the issue serious, even though many protections were layered into security products over the years to protect enterprises against XSS attacks.
In a July 29 blog post, Salt Labs researchers explained that while the team’s research focused on two targets — HotJar and Business Insider — this issue is not constrained to just those two companies. The researchers said because of the popularity of OAuth and the widespread existence of XSS, this issue likely exists in numerous other web services.
An XSS vulnerability lets an attacker run JavaScript code on a victim's browser. To exploit this vulnerability, the researchers explained that an attacker can simply send the victim a valid link to the service they want to attack.
Attackers can send the link via email, text message, social media, or posted in an online forum. And because the link is completely legitimate, the victim will have practically no way to determine if it’s part of a larger attack without a deep technical analysis. Once a victim clicks on the link, the attacker can gain full control of the account, allowing them to perform any actions on the account and gain access to any data stored in the account.
Attackers can use XSS flaws to compromise user interactions with the application, steal sensitive data, and impersonate users, explained Callie Guenther, senior manager, cyber threat researcher at Critical Start.
The vulnerability discussed in the HotJar case involved the exploitation of XSS in conjunction with OAuth, explained Guenther, who's also an SC Media columnist. By exploiting XSS, attackers could manipulate OAuth tokens or sessions, gaining unauthorized access to user accounts and sensitive data.
Guenther added that from an intelligence perspective, this incident stressed the need for ongoing vigilance and proactive threat hunting within security teams. Guenther said it serves as a reminder that security is not a static field: new exploitations of old vulnerabilities can emerge as technology evolves.
“Threat intelligence teams should continuously update threat models and attack scenarios to reflect the current capabilities of adversaries, especially as they relate to the integration of different technologies and platforms,” said Guenther. “Moreover, security teams should be on the lookout for similar vulnerabilities in other services. Given the prevalence of OAuth and the persistent nature of XSS vulnerabilities, it is likely that similar security flaws could be present in other widely used services.”
Tom Siu, chief information security officer at Inversion6, added that as a CISO, he’s been a promoter of simplification of the authentication process, and using OAuth has saved his team many cycles of user account management over the years of its availability. However, Siu said every owner of a web-based service that uses OAuth needs to examine their systems for this XSS challenge and apply a fix, to avoid the likely mechanisms attack that will touch so many deployed cloud applications.
“For example, there are a growing number of state and federal government services that are switching to OAuth-based services to permit consumer logins, that's a high-impact pool for certain,” said Siu. “I suggest all of our vulnerability management vendors will be able to tune new detections for this type of XSS, so responsible parties can detect and get a fast patch in place, as HotJar did. Like the CrowdStrike issue of July 19, this fix requires touching all of your web server auth configurations, a labor-intensive risk mitigation activity.”
