XSS and OAuth Combo Threatens Millions of Users Due to Hotjar Flaw


Cybersecurity Experts Uncover Critical Vulnerabilities in Leading Web Analytics Platform Hotjar, Potentially Exposing Sensitive Data of Millions of Users Across Global Brands and Enterprises.

A newly discovered vulnerability in popular web analytics provider Hotjar, used by millions of websites including Microsoft, Adobe, Panasonic, Columbia, RyanAir, Decathlon, T-Mobile, and Nintendo could have given attackers access to sensitive user data. Salt Security’s research arm, Salt Labs, uncovered the flaw and has since worked with Hotjar to remediate the issue.

The vulnerability exploits a combination of the outdated security issue, Cross-Site Scripting (XSS), and the widely used authentication protocol, OAuth. While XSS has long been considered a manageable threat, Salt Labs researchers demonstrated how it could be combined with OAuth to hijack user accounts.

This research highlights how even seemingly outdated vulnerabilities can pose a significant risk in the evolving landscape of technology. The combination of XSS and OAuth created a powerful attack vector that could have impacted millions of users.

According to Salt Security’s report shared with Hackread.com ahead of publishing on Monday, the attack method is deceptively simple. A user would receive a legitimate-looking link, perhaps via email or social media. Clicking the link would unknowingly grant the attacker full control of the user’s account, giving them access to any stored data.

While the immediate threat to Hotjar users has been addressed, Salt Labs warns that this vulnerability likely exists in other web services that utilize OAuth. The widespread use of both OAuth and the potential for lurking XSS vulnerabilities creates a concerning security landscape.

This isn’t just a Hotjar issue; it’s a wake-up call for the entire industry. Companies need to proactively assess their security measures and ensure they are adequately protected against these types of evolving threats.

Salt Labs has released a free tool for website owners to assess their own vulnerability to this type of attack. They also urge users to exercise caution when clicking on links, even those seemingly from trusted sources.

This latest discovery follows Salt Security’s previous findings of OAuth vulnerabilities in the popular AI tool, ChatGPT, further underscoring the importance of API security in today’s interconnected world. As dependence on online services grows, aggressive security measures are critical to protect user data and maintain trust.

  1. 68% of US Websites Exposed to Bot Attacks
  2. LiteSpeed Cache Plugin XSS Flaw Affects 1.8M WordPress Sites
  3. Polyfill Library Injected with Malware Impacting 100,000 Websites
  4. Cloud Services Used for Malicious Website Redirects in SMS Scams
  5. Social Login Flaws in Top Websites Risked Billions of User Accounts





Source link