Salt Security has released new threat research from Salt-Labs, highlighting critical security flaws within popular web analytics provider Hotjar and a renowned global news outlet – highlighting elevated risk for enterprises.
Hotjar is a key solution for product teams who want to go beyond traditional web and product analytics so they can empathise with and understand their users—to connect the dots between what’s happening and why it happens, so they can improve the user experience (UX) and create customer delight.
The company serves over one million websites, including global brands. These vulnerabilities could have potentially allowed an attacker unlimited access to sensitive data sets within these services, affecting millions of users and organisations worldwide.
These findings are not exclusive to these services but highlight a bigger issue that likely exists within similar ecosystems.
The resurrection of an age-old security issue
Cross-site scripting (commonly known as XSS) is a security issue that has existed since the early days of the World Wide Web. It has since been analysed and mitigated in many layers using countless techniques, ultimately reducing its overall security risk to a minimal level.
However, the emergence of new technologies can cause a major ecosystem change, which introduces new opportunities for attackers to leverage historical flaws such as XSS and escalate security risk significantly.
Recent Salt-Labs research demonstrates exactly this point, notably when combining XSS and recently popularised technology known as OAuth. OAuth has become the de facto authorisation/authentication protocol of the past decade.
Even if organisations use it unknowingly, OAuth is utilised by thousands of web services, as it plays a key role in any service that provides ‘Social-Login’ functions, among many others.
By combining OAuth features with the old XSS vulnerability, Salt-Labs researchers have successfully proven the ability to take over any account in Hotjar and the major news source’s online services.
To exploit this vulnerability, an attacker can simply send the victim a valid link to the service they want to attack. This link can be sent via any possible channel (email, text message, social media, or posted in an online forum, etc).
As the link is completely legitimate, the victim will have practically no way to determine if it is part of a larger attack without a deep technical analysis.
Once a victim clicks on the link, the attacker can gain full control of the account, allowing them to perform any actions on the account and gain access to any data stored in the account.
A widespread issue
While Salt-Labs’ research focused on two “example” targets – Hotjar and the major news source, this issue is not constrained to them. Due to the popularity of OAuth and the widespread existence of XSS issues, this issue likely exists in numerous other web services, showcasing the risks that accompany bundled API usage.
Salt are recommending that security teams read through the technical details and detailed explanations listed in their blog post to better understand the potential exposure of their online services.
In addition, Salt also recommend that users exercise caution when clicking on unknown links, even those sent from trusted sources.
The Salt-Labs team has also released a unique tool that will help companies assess their own risks of similar vulnerabilities with the goal to reduce their risk profile.
Until now, this tool was used internally by Salt-Labs to identify risks and vulnerabilities. If you are a domain/website owner and interested in assessing your risk, you can click here to complete your free scan.
To read more Eskenzi news, click here.
