The cyberspace landscape changes frequently, sometimes the change is good, while sometimes we stumble across challenges.
One such problem surfaced recently when Salt Labs experts found OAuth (Open Authorization) implementation flaws and cross-site scripting (XSS) vulnerabilities in the Hotjar service, a tool used by websites for tracking user behavior, and in the code of famous global news website Business Insider.
These loopholes highlight the urgent need for strong security measures and constant lookout for protecting important user data.
About OAuth and XSS
OAuth (Open Authorization) is a commercial protocol allowing third-party applications to access user info without showing passwords. It offers a safe and systematic way for users to access their data on different platforms. But, in case of incorrect use, malicious actors can exploit OAuth vulnerabilities and gain unauthorized access to user profiles.
XSS vulnerability allows threat actors to deploy malicious scripts into web pages that other users access. These scripts can steal important information such as cookies, session tokens, and other details, allowing the takeover of accounts and data breaches.
The Attack Vector
In these attacks combining OAuth bugs and XSS vulnerabilities, threat actors can create a specially designed URL containing the XSS payload. If a user clicks on this URL, the malicious script is loaded in the form of a user's session. It lets threat actors hijack the OAuth token, allowing them unauthorised access to the user's account, as if they are the user themselves. The consequences of such an attack are severe, causing the leak of sensitive data, including emails, bank details, names, and addresses.
Impact in Real-World
The possible implications of such an attack vector can be far-reaching. Millions of internet users who depend on services like Business Insider and Hotjar are exposed to the risks of account hijacking. The stolen OAuth tokens can be used to mimic users, access their personal data, and perform unauthorized actions on their behalf.
The risk is the same for businesses, a successful attack can result in a data breach, reputation damage, and financial losses. User trust in these services can fade, leading to loss of customers and profits. Additionally, regulatory agencies may stick to heavy fines and penalties for failure to protect user data.
How to stay safe: Mitigation strategies
- Make sure OAuth implementations have followed best practices and ensure regular audits for security loopholes. Encourage token storage mechanisms and implement robust security controls to avoid unauthorized entries.
- CSP (Control Security Policy): Use a strong CSP to avoid the execution of suspicious scripts. CSP can help in controlling the impact of XSS attacks by avoiding malicious script executions.
- Frequent security audits and penetration testing to track and patch bugs.
- User education: Avoid clicking suspicious links and use strong passwords. Also, use MFA (multi-factor authentication) for an extra security level.
- Use strong input validation and sanitization techniques to stay safe from XSS attacks. Validate and sanitize all user inputs before processing and display.
