Salt Labs, the research arm of API security firm Salt Security, has discovered and published details of a cross-site scripting (XSS) attack that could potentially impact millions of websites around the world.
This is not a product vulnerability that can be patched centrally. It is more an implementation issue between web code and a massively popular app: OAuth used for social logins. Most website developers believe the XSS scourge is a thing of the past, solved by a series of mitigations introduced over the years. Salt shows that this is not necessarily so.
With less concentration on XSS issues, and a social login app that is used extensively, and is easily acquired and implemented in minutes, developers can take their eye off the ball. There is a sense of familiarity here, and familiarity breeds, well, mistakes.
The basic problem is not unknown. New technology with new processes introduced into an existing ecosystem can disturb the established equilibrium of that ecosystem. This is what happened here. It is not a problem with OAuth, it is in the implementation of OAuth within websites. Salt Labs discovered that unless it is implemented with care and rigor – and it rarely is – the use of OAuth can open a new XSS route that bypasses current mitigations and can lead to complete account takeover.
Salt Labs has published details of its findings and methodologies, concentrating on just two firms: HotJar and Business Insider. The relevance of these two examples is firstly that they are major firms with strong security attitudes, and secondly that the amount of PII potentially held by HotJar is immense. If these two major firms mis-implemented OAuth, then the probability that less well-resourced websites have done similar is immense.
For the record, Salt’s VP of research, Yaniv Balmas, told SecurityWeek that OAuth issues had also been found in websites including Booking.com, Grammarly, and OpenAI, but it did not include these in its reporting. “These are just the poor souls that fell under our microscope. If we keep looking, we’ll find it in other places. I’m 100% certain of this,” he said.
Here we’ll focus on HotJar because of its market saturation, the amount of personal data it collects, and its low public recognition. “It’s similar to Google Analytics, or maybe an add-on to Google Analytics,” explained Balmas. “It records a lot of user session data for visitors to websites that use it – which means that just about everybody will use HotJar on sites including Adobe, Microsoft, Panasonic, Columbia, Ryanair, Decathlon, T-Mobile, Nintendo, and many more major names.” It is safe to say that millions of website’s use HotJar.
HotJar’s purpose is to collect users’ statistical data for its customers. “But from what we see on HotJar, it records screenshots and sessions, and monitors keyboard clicks and mouse actions. Potentially, there’s a lot of sensitive information stored, such as names, emails, addresses, private messages, bank details, and even credentials, and you and millions of other consumers who may not have heard of HotJar are now dependent on the security of that firm to keep your information private.” And Salt Labs had uncovered a way to reach that data.
(In fairness to HotJar, we should note that the firm took just three days to fix the problem once Salt Labs disclosed it to them.)
HotJar followed all current best practices for preventing XSS attacks. This should have prevented typical attacks. But HotJar also uses OAuth to allow social logins. If the user chooses to ‘sign in with Google’, HotJar redirects to Google. If Google recognizes the supposed user, it redirects back to HotJar with an URL that contains a secret code that can be read. Essentially, the attack is simply a method of forging and intercepting that process and getting hold of legitimate login secrets.
“To combine XSS with this new social-login (OAuth) feature and achieve working exploitation, we use a JavaScript code that starts a new OAuth login flow in a new window and then reads the token from that window,” explains Salt. Google redirects the user, but with the login secrets in the URL. “The JS code reads the URL from the new tab (this is possible because if you have an XSS on a domain in one window, this window can then reach other windows of the same origin) and extracts the OAuth credentials from it.”
Essentially, the ‘attack’ requires only a crafted link to Google (mimicking a HotJar social login attempt but requesting a ‘code token’ rather than simple ‘code’ response to prevent HotJar consuming the once-only code); and a social engineering method to persuade the victim to click the link and start the attack (with the code being delivered to the attacker). This is the basis of the attack: a false link (but it’s one that appears legitimate), persuading the victim to click the link, and receipt of an actionable log-in code.
“Once the attacker has a victim’s code, they can start a new login flow in HotJar but replace their code with the victim code – leading to a full account takeover,” reports Salt Labs.
The vulnerability is not in OAuth, but in the way in which OAuth is implemented by many websites. Fully secure implementation requires extra effort that most websites simply don’t realize and enact, or simply don’t have the in-house skills to do so.
From its own investigations, Salt Labs believes that there are likely millions of vulnerable websites around the world. The scale is too great for the firm to investigate and notify everyone individually. Instead, Salt Labs decided to publish its findings but coupled this with a free scanner that allows OAuth user websites to check whether they are vulnerable.
The scanner is available here.
It provides a free scan of domains as an early warning system. By identifying potential OAuth XSS implementation issues upfront, Salt is hoping organizations proactively address these before they can escalate into bigger problems. “No promises,” commented Balmas. “I cannot promise 100% success, but there’s a very high chance that we’ll be able to do that, and at least point users to the critical places in their network that might have this risk.”
Related: OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
Related: ChatGPT Plugin Vulnerabilities Exposed Data, Accounts
Related: Critical Vulnerabilities Allowed Booking.com Account Takeover