Research from Salt Security unveils a security flaw within the popular web analytics provider, Hotjar. A cross-site scripting (XSS) issue was discovered by researchers, notably when combining it with OAuth technology. OAuth is deployed by a wide range of web services, as it plays a pivotal role in social-login functions.
Malicious actors can leverage this vulnerability by sending the target a valid link to the service they want to exploit. Since the link is legitimate, the target will have virtually no means to recognize whether or not it is part of a larger attack without a deeper, more technical examination. This link can be sent via email, text message, social media or any other channel. Once the link is clicked, a malicious actor can exert full control over the account, enabling them to gain access to stored data or perform any desired action on the account.
Hotjar is a tool complementing Google Analytics, collecting large volumes of sensitive data. The data collected includes personally identifiable information (PII), bank details, private messages and possibly credentials. Furthermore, Hotjar services more than one million websites, including major entities like Microsoft. Therefore, the vulnerabilities in Hotjar could allow malicious actors to gain unlimited access to data within these services, potentially impacting millions of users and organizations globally.
While the research focused on specific entities, the researchers emphasize that the popularity of OAuth and the frequency of XSS issues suggest that this vulnerability is not limited to Hotjar. The research argues that it is likely this issue exists in a variety of web services.
