Although cross-site scripting (XSS) attacks might have fallen out of prominence in recent years, researchers have demonstrated a new method that enables bad actors to steal user session tokens.
API security firm Salt Security has discovered how XSS can be combined with other technologies, like OAuth, to once again become a significant threat to hijack user accounts. They managed to obtain session tokens despite HTTP-Only protection on a high-profile website.
In a nutshell, XSS means that attackers were able to run JavaScript (JS) code on the victim’s browser. Browsers store user credentials for websites, like cookies and other tokens, and in typical XSS exploits, attackers can hijack user sessions by stealing these cookies.
They need only convince victims to click on the link crafted to include the malicious JS code. However, many websites have built-in protections against running such a code and will not return any cookies.
Yet, websites are not bulletproof against attempts to inject malicious scripts from unauthorized sources.
Researchers discovered that Hotjar, a popular analytics platform that serves “one million websites,” including Microsoft, Adobe, T-Mobile, and many other global brands, was vulnerable to such an attack.
“One of the features in Hotjar – and almost any other modern website today – is social login, which is based on OAuth (the open standard for authorization). When you connect to Hotjar using Google, Hotjar sends you to Google. Google generates a secret token for you, and you pass the secret back to Hotjar to complete the authentication,” the report explained.
Researchers crafted a malicious HotJar URL with Javascript code, which, when injected, starts a new OAuth login flow and successfully reads the secret token sent by Google.
An attacker can then use this token to start a new login flow in Hotjar, injecting the victim’s code and logging into the victim’s Hotjar account, leading to a full account takeover.
“When a victim (Hotjar’s account owner) clicks on this link (which has a legitimate domain), their credentials will be passed to an attacker,” Salt Labs said.
Hotjar collects a vast volume of personal and sensitive data, such as names, emails, addresses, private messages, banking details, and even credentials under certain circumstances. This solution can record user screen and keyboard activity.
“Whether or not you’ve heard of Hotjar, chances are that you have probably interacted with one of the million websites using its technology, which means it may have collected your data somehow,” researchers said.
“The impact could have been very severe had these issues remained unaddressed.”
They warned that in an account takeover scenario, attackers could obtain an extensive amount of sensitive and valuable information from users, including the website’s administrators.
Hotjar already fixed the issue after the responsible disclosure.
However, it seems the saga of XSS will continue. Salt Labs already plans to release the next report on another well-known company that was vulnerable to “a slightly different” new method of combining XSS and OAuth.
Your email address will not be published. Required fields are markedmarked