A critical vulnerability within the OAuth authentication standard poses a substantial risk to millions of websites and their users, potentially leading to account hijacking and data theft. Cybersecurity experts from Salt Security have identified and exploited this flaw, which intertwines weaknesses in OAuth with cross-site scripting (XSS) attacks—a combination that amplifies the potential for malicious exploitation. Notably, well-known web services like Hotjar and Business Insider have been found susceptible, raising alarms over the fact that countless other websites may share this vulnerability due to the widespread implementation of OAuth and inherent XSS weaknesses.
Hotjar, a widely-used tool that complements Google Analytics by tracking user behavior, serves over a million websites, including major corporations such as Adobe, Microsoft, and T-Mobile. The vulnerability allows attackers to manipulate the OAuth process frequently used for user logins through platforms like Google and Facebook. By injecting malicious code into this authentication flow, attackers can compromise sensitive user data, hijack accounts, and access critical information, including names, email addresses, home addresses, and even financial details.
Despite prompt remediation efforts by Hotjar and Business Insider, following notification from Salt Security, the overarching risk remains considerable. Salt Labs estimates that millions of websites globally could be at risk, putting the onus on website administrators to act swiftly in securing their OAuth implementations. To facilitate this process, Salt Security has released a complimentary scanning tool for website owners to assess their OAuth vulnerability status. The company strongly advises that all websites leveraging OAuth perform this assessment and take necessary mitigation steps to shield against potential exploitation.