Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,176
- Points
- 113
Hotjar and Business Insider are not the only victims of authentication bugs.
Salt Security, an API security company, has identified critical security flaws in two widely used web services-Hotjar and Business Insider. Experts warn that the discovered vulnerabilities put millions of users at risk around the world.
Hotjar is a tool that complements Google Analytics and records user activity to analyze their behavior. It is used by more than a million websites, including well-known brands such as Adobe, Microsoft, Panasonic, Columbia, RyanAir, Decathlon, T-Mobile and Nintendo. Given the specifics of how Hotjar works, the service collects huge amounts of personal and confidential information: names, email addresses, home addresses, personal messages, bank data and, in some cases, even customer credentials.
Salt Labs researchers found that attackers can exploit a combination of vulnerabilities in the OAuth authentication standard and cross-site scripting (XSS) to hijack accounts. OAuth is a modern standard that is increasingly used for seamless authentication between sites, such as when you see the option "sign in with Facebook"or" sign in with Google".
XSS is considered one of the most common and long-standing vulnerabilities in web applications. It allows an attacker to inject malicious code into a legitimate web page in order to execute scripts in the site visitor's browser for data theft and other malicious actions.
Experts have demonstrated how to manipulate the Hotjar social authorization process, which redirects the user to Google to receive a secret token via OAuth. This token is a URL containing special code that can be read by JavaScript code, which creates an XSS vulnerability.
A similar problem was found on the Business Insider website — a popular news portal with millions of readers around the world. In this case, the vulnerability was identified in the mobile version of the site, where the authentication process was also exposed to XSS attacks.
Yaniv Balmas, vice president of research at Salt, emphasizes that the vulnerabilities found are likely to be much more widespread and may affect many other online services.
Salt Labs promptly notified Hotjar and Business Insider about the detected problems. The vulnerabilities were fixed within a few days after the report.
The vulnerability on the Business Insider website was discovered on March 20, and the company fixed the problem by March 30. The flaw in Hotjar was identified on April 17 and fixed two days after the notification.
Experts urge website administrators to be extra vigilant when implementing OAuth to avoid such attack scenarios. Balmas advises: "There are many factors to consider when implementing any new technology, including, of course, security. A robust implementation that takes all possible options into account must be secure and prevent an attacker from taking advantage of this attack vector."
Source
Salt Security, an API security company, has identified critical security flaws in two widely used web services-Hotjar and Business Insider. Experts warn that the discovered vulnerabilities put millions of users at risk around the world.
Hotjar is a tool that complements Google Analytics and records user activity to analyze their behavior. It is used by more than a million websites, including well-known brands such as Adobe, Microsoft, Panasonic, Columbia, RyanAir, Decathlon, T-Mobile and Nintendo. Given the specifics of how Hotjar works, the service collects huge amounts of personal and confidential information: names, email addresses, home addresses, personal messages, bank data and, in some cases, even customer credentials.
Salt Labs researchers found that attackers can exploit a combination of vulnerabilities in the OAuth authentication standard and cross-site scripting (XSS) to hijack accounts. OAuth is a modern standard that is increasingly used for seamless authentication between sites, such as when you see the option "sign in with Facebook"or" sign in with Google".
XSS is considered one of the most common and long-standing vulnerabilities in web applications. It allows an attacker to inject malicious code into a legitimate web page in order to execute scripts in the site visitor's browser for data theft and other malicious actions.
Experts have demonstrated how to manipulate the Hotjar social authorization process, which redirects the user to Google to receive a secret token via OAuth. This token is a URL containing special code that can be read by JavaScript code, which creates an XSS vulnerability.
A similar problem was found on the Business Insider website — a popular news portal with millions of readers around the world. In this case, the vulnerability was identified in the mobile version of the site, where the authentication process was also exposed to XSS attacks.
Yaniv Balmas, vice president of research at Salt, emphasizes that the vulnerabilities found are likely to be much more widespread and may affect many other online services.
Salt Labs promptly notified Hotjar and Business Insider about the detected problems. The vulnerabilities were fixed within a few days after the report.
The vulnerability on the Business Insider website was discovered on March 20, and the company fixed the problem by March 30. The flaw in Hotjar was identified on April 17 and fixed two days after the notification.
Experts urge website administrators to be extra vigilant when implementing OAuth to avoid such attack scenarios. Balmas advises: "There are many factors to consider when implementing any new technology, including, of course, security. A robust implementation that takes all possible options into account must be secure and prevent an attacker from taking advantage of this attack vector."
Source
