July 29, 2024 at 10:50AM
Recent security research by Salt Security’s Salt Labs revealed critical API security flaws in both Hotjar and Business Insider, exposing millions of users to potential account takeover. The flaws involve manipulating the OAuth standard with cross-site scripting, potentially enabling attackers to access sensitive data. The researchers warn that similar vulnerabilities may be widespread, necessitating cautious implementation of OAuth.
Based on the meeting notes, here are the key takeaways:
1. Critical API security flaws were discovered in the Hotjar service and the Business Insider website, potentially exposing millions of users to account takeover by exploiting a combination of OAuth manipulation and cross-site scripting (XSS) vulnerabilities.
2. The Hotjar service, which records user activity for analysis, is used by over a million websites and collects sensitive data including personal information, private messages, and even credentials.
3. The vulnerability on Business Insider could be exploited for XSS attacks, potentially affecting its millions of global users.
4. The combination of OAuth and XSS vulnerabilities is likely widespread across the Internet, posing a serious risk to user data and account security.
5. By manipulating the social login aspect of Hotjar and exploiting the social sign-in feature on Business Insider, the researchers were able to demonstrate the potential for full account takeover and exposure of sensitive personal data.
It’s important for site administrators to carefully implement OAuth to prevent similar attack scenarios. Additionally, the researchers urge a thorough consideration of all security aspects when implementing new technology to avoid providing opportunities for attackers to exploit potential vulnerabilities.