Critical vulnerabilities have been discovered in popular web analytics provider Hotjar and major news outlet Business Insider by security researchers at Salt Labs.

Description

These vulnerabilities involve an XSS exploit combined with OAuth technology [3], enabling attackers to potentially access sensitive data by deceiving victims into clicking on a legitimate-looking link. Major brands such as Adobe, Microsoft [2], T-Mobile [2], and Nintendo are at risk. Salt Labs has developed a tool to assist companies in evaluating their vulnerability to similar exploits. The issue extends beyond Hotjar and Business Insider, as numerous other web services utilizing OAuth may also be susceptible. Organizations are urged to implement robust security measures to thwart exploitation of this attack vector. The exploitation of XSS in conjunction with OAuth tokens or sessions empowers attackers to manipulate user accounts and data [1], underscoring the necessity for continuous vigilance and proactive threat detection within security teams.

Conclusion

The discovery of these vulnerabilities underscores the importance of implementing strong security measures to safeguard against potential attacks. Organizations must remain vigilant and proactive in identifying and addressing security threats to protect sensitive data and prevent unauthorized access.

References

[1] https://www.scmagazine.com/news/1-million-hotjar-users-vulnerable-to-xss-attacks
[2] https://www.infosecurity-magazine.com/news/hotjar-business-insider-flaw-oauth/
[3] https://salt.security/press-releases/salt-security-discovers-security-flaws-in-hotjar-potentially-affecting-sensitive-data-of-millions-utilizing-major-global-brands—issues-have-been-remediated