TLDR
- Researchers discovered an XSS attack that could impact millions of websites using OAuth for social logins
- The vulnerability affects major services like HotJar and Business Insider, potentially exposing user data
- The attack combines OAuth implementation flaws with cross-site scripting (XSS) vulnerabilities
- HotJar, used by over 1 million websites, could expose sensitive user data if compromised
- Researchers believe this issue is widespread due to the popularity of OAuth and XSS vulnerabilities
A new security threat has emerged that could affect millions of websites worldwide. Researchers from Salt Labs, part of API security firm Salt Security, have uncovered a cross-site scripting (XSS) attack that takes advantage of how websites implement OAuth for social logins.
OAuth is a popular standard used for features like “Login with Google” or “Login with Facebook.” It lets users sign in to websites using their accounts from other services. However, if not set up correctly, OAuth can create security risks.
The researchers found this problem in two major online services: HotJar and Business Insider. HotJar is a tool used by over 1 million websites to track and record user activity. It works with big names like Adobe, Microsoft, T-Mobile, and Nintendo. Business Insider is a well-known news website with millions of readers around the world.
What makes this discovery concerning is that these are big companies with strong security practices. If they can make this mistake, many other websites likely have the same issue.
The attack works by combining two things: problems with how OAuth is set up, and an old type of web vulnerability called cross-site scripting (XSS). XSS lets attackers run malicious code in a user’s web browser.
Here’s how the attack could work:
- An attacker sends a victim a link that looks normal.
- This link could come through email, text message, or social media.
- When the victim clicks the link, it starts a login process using OAuth.
- The attacker can then steal the login information and take over the victim’s account.
This is dangerous because it could let attackers see and use any information in the compromised account. For a service like HotJar, this could include names, emails, addresses, and even bank details that HotJar recorded from other websites.
Both HotJar and Business Insider fixed the problems quickly after being notified. HotJar took just three days to fix the issue. However, the researchers believe many other websites likely have the same vulnerability.
To help address this issue, Salt Labs has released a free scanner. Website owners can use this tool to check if their OAuth implementation is vulnerable to this kind of attack.
The discovery of this vulnerability shows that even as web security improves, new risks can emerge. It’s a reminder that website owners need to be careful when implementing new features like social logins.
For users, this news underscores the importance of being cautious online. Even links that look legitimate could be part of an attack. It’s always a good idea to be careful about what links you click and to use strong, unique passwords for each of your online accounts.
