New threat research by Salt-Labs, the research arm of API security company Salt Security, has released new research highlighting critical security flaws within popular web analytics provider Hotjar. The company serves over one million websites, including global brands like Microsoft and Nintendo (according to their website). These vulnerabilities could have potentially allowed an attacker unlimited access to sensitive data sets within these services, affecting millions of users and organisations worldwide. These findings are not exclusive to these services but highlight a bigger issue that likely exists within similar API ecosystems.
Cross-site scripting (XSS) has been a persistent security threat since the early web, yet it’s largely been contained through layered defences. However, the advent of new technologies, such as OAuth, has created unforeseen vulnerabilities.
OAuth, the ubiquitous authorisation protocol, has become a prime target for exploitation when combined with the classic XSS flaw. Recent research by Salt Labs has demonstrated a critical risk: by merging these two elements, attackers can hijack accounts on major platforms like Hotjar and leading news outlets.
This attack is deceptively simple. Malicious actors craft seemingly innocuous links that, when clicked, grant them complete control over a victim’s account. With no obvious red flags, these links pose a significant threat as they can be disseminated through various channels. The potential consequences are severe, including unauthorised access to sensitive data and actions taken on the compromised account.
While Salt-Labs has highlighted specific examples, the issue is likely widespread due to the prevalence of both OAuth and XSS vulnerabilities across numerous web services. This underscores the critical importance of robust security measures, especially when integrating third-party APIs.
Salt-Labs’ ongoing research demonstrates additional pillars to the risks tangled in API usage, specifically with the use of popular OAuth tools. At the beginning of 2024, the Salt Labs team also revealed critical OAuth vulnerabilities in the popular AI Tool, ChatGPT.
