Security researchers have uncovered a critical vulnerability affecting over one million websites. The vulnerability combines OAuth implementation flaws with cross-site scripting (XSS) attacks.
The vulnerability stems from the interaction between OAuth, a widely used authentication protocol, and XSS, a long-standing web security issue. While XSS attacks have become less prevalent due to improved security measures, this new exploit demonstrates how combining them with OAuth can bypass traditional protections.
At the heart of the issue is how OAuth is implemented in many web applications. Attackers can craft malicious URLs that mimic legitimate OAuth login attempts, intercepting the authentication process to gain unauthorized access to user accounts.
This technique allows malicious actors to circumvent standard XSS defenses, potentially exposing sensitive user data, including names, addresses, emails, banking details, and credentials.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
The research initially focused on Hotjar, a popular web analytics service used by numerous high-profile companies. Despite Hotjar’s implementation of robust security practices, researchers found that the combination of XSS and OAuth could lead to account takeovers.
This vulnerability has since been addressed, underscoring the need for continuous security monitoring across all web applications.
“Once the attacker has a victim’s code, they can start a new login flow in Hotjar but replace their code with the victim’s, leading to a full account takeover,” salt researchers added.
Salt Security has developed a new tool capable of detecting a wide range of vulnerabilities, including those related to APIs, OAuth, and web security.
The implications of this discovery are far-reaching, affecting the websites of prominent companies such as Microsoft, Adobe, Columbia, Panasonic, Decathlon, RyanAir, Nintendo, and T-Mobile, among others. Any website using OAuth for authentication could potentially be at risk.
To mitigate this threat, security experts recommend several measures:
- Implement manual input sanitization and output encoding to prevent unauthorized script execution.
- Utilize modern web frameworks like React and Angular, which offer built-in XSS protections.
- Set cookies with HTTP-Only attributes to prevent access via JavaScript.
- Define and enforce content security policies to restrict sources of executable scripts.
As the cybersecurity landscape continues to evolve, this discovery emphasizes the importance of proactive security measures and the need for developers and security professionals to consider how different technologies interact. With millions of websites potentially at risk, addressing this OAuth vulnerability has become a top priority for the web security community.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access