Skip to content

0Auth implementation flaw leaves millions of websites vulnerable to XSS attacks

  • by
  • 2 min read

An OAuth implementation mistake caught by security researchers has exposed over one million websites to XSS or cross-scripting attacks. Note that this isn’t an OAuth vulnerability; the actual issue here is how OAuth has been implemented in the vulnerable sites.

Salt Labs researchers caught the issue and published a technical analysis of the mistake focusing on HotJar and Business Insider. In the case of HotJar, the website implemented all the best XSS-avoiding measures that would’ve prevented typical attacks. However, in this case, HotJar uses OAuth to allow login via different social accounts.

If a user tries to log into HotJar using Google, they’re redirected to Google’s website for login and then sent back to HotJar with a URL that contains a secret code that an attacker can read. Once an attacker gets hold of these login secrets, a complete account takeover is possible using this code.

Simply put, all the attack needs is a crafted link to Google or another account mimicking a legitimate HotJar social login attempt. This link can request a code token instead of a simple code to prevent HotJar from using said code. Once ready, an attacker can use social engineering tactics to get the victim to click on the link and have the code token delivered to them.

HotJar and Business Insider (but especially HotJar) were selected for the vulnerability’s technical analysis for their security-based mindset and wide customer base demonstrating that even the most security-savvy websites can also make an implementation mistake that can lead to massive data breaches.

Considering there are potentially millions of websites affected by this faulty implementation, the scale of the issue is too big for Salt Labs to investigate and notify individual victims. The researchers have released a free online tool that can be used to check whether a particular website using OAuth is vulnerable to the attack.

In the News: WazirX wants users to bear the burden of the lost $230 million

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>