Millions of Web users are at risk due to critical API security flaws identified in the Hotjar service and the popular Business Insider global news website. These vulnerabilities, discovered by API security firm Salt Security’s Salt Labs, have opened the door for potential account takeovers through the misuse of the OAuth standard and cross-site scripting (XSS) flaws on the two platforms.
The Hotjar service, utilized by over a million websites including major brands like Adobe, Microsoft, and Nintendo, records user activity to analyze behavior. However, the data collected by Hotjar can contain sensitive information such as names, emails, addresses, and even credentials under certain circumstances, making it a prime target for malicious actors.
On the other hand, the Business Insider website, with its millions of global users, was found to have a separate vulnerability that can be exploited for XSS attacks, potentially leading to account takeovers. This combination of flaws in both Hotjar and Business Insider highlights the pervasive nature of these security risks across the Internet.
OAuth, a modern authentication standard commonly used for seamless cross-website authentication, has been misconfigured in ways that create vulnerabilities spanning multiple sites. When paired with XSS, an attacker can inject malicious code into a legitimate webpage to execute scripts in a visitor’s browser, enabling data theft and other malicious activities.
Yaniv Balmas, vice president of research at Salt, emphasized that exploiting the combination of OAuth and XSS grants attackers the same permissions and functionality as the victim, posing a significant risk to user accounts. While the vulnerabilities on Hotjar and Business Insider have been addressed, researchers caution that similar issues may exist on other websites, leaving unsuspecting users vulnerable to account takeovers.
In a detailed analysis, Salt researchers demonstrated how attackers manipulated the social login feature of Hotjar to exploit the OAuth token exchange process and execute XSS attacks. By leveraging JavaScript code to intercept authentication tokens and redirect users to malicious sites, attackers could potentially take over accounts and access personal data collected by Hotjar.
Similarly, researchers identified vulnerabilities in the mobile authentication process on the Business Insider website, where XSS could be used to intercept user credentials and initiate account takeovers. These findings underscore the importance of secure implementation of OAuth to prevent misuse in attack scenarios.
As online services continue to evolve, administrators must prioritize security considerations and implement robust measures to safeguard user data. A thorough implementation of security protocols is essential to prevent attackers from exploiting vulnerabilities in OAuth and XSS, ensuring the protection of user accounts and sensitive information.
Overall, the discovery of critical API security flaws in Hotjar and Business Insider serves as a reminder of the ongoing threat posed by vulnerabilities in popular online platforms. By addressing these issues proactively and adopting best practices in API security, organizations can mitigate the risk of account takeovers and protect user data from malicious exploitation.