New XSS Threat Exploits OAuth Social Logins Putting Millions of Websites at Risk
Salt Labs, the research arm of API security firm Salt Security, has recently discovered a significant cross-site scripting (XSS) vulnerability that has the potential to affect millions of websites globally. Unlike a product vulnerability that can be centrally patched, this issue stems from the implementation of OAuth—a widely used app for social logins—within web code. Despite the common belief among developers that XSS threats are a thing of the past, Salt Labs’ findings highlight a critical oversight in web security.
Table of Contents
The Complacency of Familiarity
The ease of implementing OAuth for social logins has led to a sense of complacency among developers. This familiarity, however, can lead to significant mistakes. The fundamental issue lies in the introduction of new technology and processes into an existing ecosystem, which can disrupt the established equilibrium. This is not a flaw in OAuth itself, but in how it is implemented across various websites. Salt Labs discovered that without meticulous care and rigor, the use of OAuth can create a new XSS route that bypasses current mitigations, potentially leading to complete account takeovers.
Case Studies: HotJar and Business Insider
Salt Labs' research focused on the implementations by two prominent firms: HotJar and Business Insider. These companies were chosen due to their substantial security postures and the significant amount of personally identifiable information (PII) they handle. If such major firms can mis-implement OAuth, the likelihood of smaller, less well-resourced websites making similar errors is high. Yaniv Balmas, VP of research at Salt Security, revealed that similar OAuth issues were found in websites including Booking.com, Grammarly, and OpenAI, though these were not included in the report.
HotJar, in particular, was highlighted due to its extensive market saturation and the vast amounts of user data it collects. Operating similarly to Google Analytics, HotJar records user session data, including screenshots, keyboard clicks, and mouse actions. This data can encompass sensitive information such as names, emails, addresses, private messages, bank details, and credentials. The discovered vulnerability allows attackers to exploit the OAuth social login process by forging and intercepting login secrets, thereby gaining unauthorized access to user accounts.
The Attack Methodology
The attack method involves combining XSS with the OAuth login flow. A crafted link mimicking a legitimate HotJar social login request initiates the attack. When a victim clicks this link, the attacker can intercept the login secrets, leading to a full account takeover. This vulnerability underscores the importance of secure implementation practices, which many websites either overlook or lack the expertise to execute.
Proactive Measures and Tools
In response to these findings, Salt Labs published its methodologies and a free scanner tool to help website operators identify and address potential OAuth XSS implementation issues. This proactive approach aims to mitigate risks before they escalate into significant security breaches. While Balmas cautions that 100% success cannot be guaranteed, the tool provides a valuable early warning system for organizations to fortify their security postures.
The discovery by Salt Labs serves as a stark reminder that even widely trusted technologies like OAuth require diligent and secure implementation. As the digital landscape continues to evolve, so too must our vigilance and commitment to robust cybersecurity practices.