OAuth+XSS Attack Threatens Millions of Web Users With Account Takeover

  /     /     /  
Publicated : 23/11/2024   Category : security


OAuth+XSS Attack Threatens Millions of Web Users With Account Takeover


An attack flow that combines API flaws within log in with implementations and Web injection bugs could affect millions of websites.



Critical API security flaws have put millions of users at risk for
account takeover,
by using a modern authentication standard to resurrect a longtime vulnerability. The bugs were found in the Hotjar service, which tracks and records Web user activity, and in the code of the popular Business Insider global news website.
Thats according to API security firm Salt Securitys Salt Labs, which found that by pairing manipulation of the
OAuth standard
with cross-site scripting (XSS) flaws in the two sites, attackers can potentially expose sensitive data and conduct malicious activity acting as legitimate users of more than a million websites.
Hotjar, a tool that complements Google Analytics by recording user activity to analyze behavior, serves more than a million websites, including well-known brands such as Adobe, Microsoft, Panasonic, Columbia, RyanAir, Decathlon, T-Mobile, and Nintendo.
Due to the nature of the Hotjar solution, the data it collects can include a vast volume of personal and sensitive data, such as names, emails, addresses, private messages, bank details, and even credentials under certain circumstances, according to a
Salt Labs blog post
on the research.
A separate but just as dangerous vulnerability found on the Business Insider website can meanwhile be exploited to perform an cross-site scripting (XSS) attack and take over accounts on that site, which has millions of global users.
More worrisome, the same combination of problems is likely widespread and lurking on whole swathes of the Internet, the researchers warned.
OAuth is a relatively new standard increasingly being used for seamless cross-website authentication, familiar to many as the engine behind the log in with Facebook or log in with Google functionality included in many websites. The standard drives the mechanism responsible for the
authentication handoff
between the sites, allowing user data to be shared between them. Its been known to be
misconfigured upon implementation
in ways that create serious vulnerabilities that span numerous sites.
XSS, meanwhile, is one of the most
oft-exploited and oldest Web vulnerabilities
. It allows an attacker to inject malicious code into a legitimate Web page or application in order to execute scripts in a website visitors browser for data theft and more.
An attacker who successfully exploits an attack vector that combines the two will gain the same permissions and functionality as the victim, and therefore, the risk will be parallel to what can actually be done by a normal system user, Yaniv Balmas, vice president of research at Salt, tells Dark Reading.
Salt Labs discovered the vulnerability on the Business Insider site on March 20 and immediately informed the company, which fixed the flaws by March 30. The Hotjar flaw was discovered on April 17, and, upon disclosure, mitigated two days later.
However, Salt researchers believe that flaws that allow attackers to exploit this combo of OAuth and XSS are likely lurking undetected on other sites, thus exposing millions of unsuspecting users to potential account takeover.
We strongly believe this is a very common issue, and most chances are that many other online services suffer from the same issue, Balmas says.
Given that XSS has been around so long, most websites have built-in protections against attacks that exploit this vulnerability. Salt researchers were able to get around them using OAuth in two separate instances on both Hotjar and the Business Insider website.
On the former, the researchers manipulated the social login aspect of Hotjar, which redirects to Google to receive a secret token through
OAuth
to complete authentication on Hotjar. That token is a URL that contains secret code, which is something that JavaScript code can read, creating an XSS flaw.
To combine XSS with this new social-login feature and achieve working exploitation, we use a JavaScript code that starts a new OAuth login flow in a new window and then reads the token from that window, according to the post. With this method, the JavaScript code opens a new tab to Google, and Google automatically redirects the user back to [the Hotjar site] with the OAuth code in the URL.
The code reads the URL from the new tab and extracts the OAuth credentials from it. Once the attackers have a victims code, they can start a new login flow in Hotjar, replacing their code with the victim code and leading to a full account takeover and thus potential exposure of all the personal data collected by Hotjar.
The researchers also managed to exploit the social sign-in feature integrated into the code of the Business Insider website, specifically through mobile authentication, which opens a new Web browser to authenticate the user. After the user completes the authentication on the Web, they are then redirected to an endpoint with their credentials as parameters that are sent from the Web to the mobile site.
This endpoint, created only to support authentication using the mobile application, is vulnerable to XSS, according to the post. Thus, if an attacker can read the credentials from the URL, they can achieve account takeover.
What we need to do is write JavaScript code that starts a login flow, wait for the token to be visible in the URL, and then read that URL, according to the post. If a victim clicks on that link, their credentials will be passed to a malicious domain.
Though the flaws specifically found on Hotjar and Business Insider have been mitigated, the potential for exploit on other sites means site
administrators need to be careful in how they implement OAuth
, lest it be used in similar attack scenarios, Balmas says.
As always, when implementing any new technology, many things need to be considered, including, of course, security, he says. A solid implementation that considers all possible options should be secure and will not allow an attacker an opportunity to abuse this attack vector.

Last News

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
OAuth+XSS Attack Threatens Millions of Web Users With Account Takeover