Massive XSS Threat: Millions of Websites Vulnerable via OAuth Flaw
A critical vulnerability in the OAuth authentication standard has been discovered, potentially exposing millions of websites and their users to account hijacking and data theft. Cybersecurity experts at Salt Security have identified and exploited the flaw, which combines vulnerabilities in OAuth with cross-site scripting (XSS) attacks.
Prominent web services such as Hotjar and Business Insider have already been found to be susceptible. The researchers warn that the same vulnerability likely exists on countless other websites due to the prevalence of OAuth and XSS vulnerabilities.
Hotjar, a tool that works in tandem with Google Analytics to monitor user behavior, is employed by over a million websites, including high-profile brands such as Adobe, Microsoft, Panasonic, Columbia, RyanAir, Decathlon, T-Mobile, and Nintendo.
The attack involves manipulating the OAuth authentication process, which is often used to allow users to log in with their existing accounts from Google, Facebook, or other platforms. By injecting malicious code into the authentication flow, attackers can steal user data, hijack accounts, and potentially gain access to sensitive information.
Hotjar, a popular user behavior analytics tool used by over a million websites, was found to be particularly vulnerable due to the vast amount of personal and confidential data it collects. The researchers demonstrated how an attacker could exploit the flaw to steal sensitive user information, including names, email addresses, home addresses, and even banking details.
While Hotjar and Business Insider have promptly patched the vulnerabilities after being notified by Salt Security, the broader risk remains significant. Salt Labs estimates that millions of websites worldwide could be affected, urging website administrators to take immediate action to secure their OAuth implementations.
To assist in this effort, Salt Security has released a free scanner that allows website owners to check if their OAuth implementation is vulnerable. The company strongly recommends that all websites using OAuth utilize this tool and take necessary steps to mitigate the risk.
