OAuth+XSS Attack Threatens Millions of Web Users With Account Takeover

Critical API security flaws have put millions of users at risk for account takeover, by using a modern authentication standard to resurrect a longtime vulnerability. The bugs were found in the Hotjar service, which tracks and records Web user activity, and in the code of the popular Business Insider global news website.

That's according to API security firm Salt Security's Salt Labs, which found that by pairing manipulation of the OAuth standard with cross-site scripting (XSS) flaws in the two sites, attackers can potentially expose sensitive data and conduct malicious activity acting as legitimate users of more than a million websites.

Hotjar, a tool that complements Google Analytics by recording user activity to analyze behavior, serves more than a million websites, including well-known brands such as Adobe, Microsoft, Panasonic, Columbia, RyanAir, Decathlon, T-Mobile, and Nintendo.

"Due to the nature of the Hotjar solution, the data it collects can include a vast volume of personal and sensitive data, such as names, emails, addresses, private messages, bank details, and even credentials under certain circumstances," according to a Salt Labs blog post on the research.

A separate but just as dangerous vulnerability found on the Business Insider website can meanwhile be exploited to perform an cross-site scripting (XSS) attack and take over accounts on that site, which has millions of global users.

More worrisome, the same combination of problems is likely widespread and lurking on whole swathes of the Internet, the researchers warned.

A Modern Authentication Standard Meets an Old Flaw

OAuth is a relatively new standard increasingly being used for seamless cross-website authentication, familiar to many as the engine behind the "log in with Facebook" or "log in with Google" functionality included in many websites. The standard drives the mechanism responsible for the authentication handoff between the sites, allowing user data to be shared between them. It's been known to be misconfigured upon implementation in ways that create serious vulnerabilities that span numerous sites.

XSS, meanwhile, is one of the most oft-exploited and oldest Web vulnerabilities. It allows an attacker to inject malicious code into a legitimate Web page or application in order to execute scripts in a website visitor's browser for data theft and more.

An attacker who successfully exploits an attack vector that combines the two "will gain the same permissions and functionality as the victim, and therefore, the risk will be parallel to what can actually be done by a normal system user," Yaniv Balmas, vice president of research at Salt, tells Dark Reading.

Salt Labs discovered the vulnerability on the Business Insider site on March 20 and immediately informed the company, which fixed the flaws by March 30. The Hotjar flaw was discovered on April 17, and, upon disclosure, mitigated two days later.

However, Salt researchers believe that flaws that allow attackers to exploit this combo of OAuth and XSS are likely lurking undetected on other sites, thus exposing millions of unsuspecting users to potential account takeover.

"We strongly believe this is a very common issue, and most chances are that many other online services suffer from the same issue," Balmas says.

Hotjar Attack

Given that XSS has been around so long, most websites have built-in protections against attacks that exploit this vulnerability. Salt researchers were able to get around them using OAuth in two separate instances on both Hotjar and the Business Insider website.

On the former, the researchers manipulated the social login aspect of Hotjar, which redirects to Google to receive a secret token through OAuth to complete authentication on Hotjar. That token is a URL that contains secret code, which is something that JavaScript code can read, creating an XSS flaw.

"To combine XSS with this new social-login feature and achieve working exploitation, we use a JavaScript code that starts a new OAuth login flow in a new window and then reads the token from that window," according to the post. "With this method, the JavaScript code opens a new tab to Google, and Google automatically redirects the user back to [the Hotjar site] with the OAuth code in the URL."

The code reads the URL from the new tab and extracts the OAuth credentials from it. Once the attackers have a victim's code, they can start a new login flow in Hotjar, replacing their code with the victim code and leading to a full account takeover and thus potential exposure of all the personal data collected by Hotjar.

Exploiting Mobile Logins

The researchers also managed to exploit the social sign-in feature integrated into the code of the Business Insider website, specifically through mobile authentication, which opens a new Web browser to authenticate the user. After the user completes the authentication on the Web, they are then redirected to an endpoint with their credentials as parameters that are sent from the Web to the mobile site.

"This endpoint, created only to support authentication using the mobile application, is vulnerable to XSS," according to the post. Thus, if an attacker can read the credentials from the URL, they can achieve account takeover.

"What we need to do is write JavaScript code that starts a login flow, wait for the token to be visible in the URL, and then read that URL," according to the post. "If a victim clicks on that link, their credentials will be passed to a malicious domain."

Though the flaws specifically found on Hotjar and Business Insider have been mitigated, the potential for exploit on other sites means site administrators need to be careful in how they implement OAuth, lest it be used in similar attack scenarios, Balmas says.

"As always, when implementing any new technology, many things need to be considered, including, of course, security," he says. "A solid implementation that considers all possible options should be secure and will not allow an attacker an opportunity to abuse this attack vector."