Salt Security is making available a free scanning tool that it has been using to assess the level of potential risk organizations face from cross-site scripting (XSS) attacks in the wake of discovering similar flaws in multiple websites, including the Hotjar service that millions of users rely on to analyze web traffic.

Hotjar and other services are susceptible to these types of attacks because of the way it has implemented the OAuth authorization protocol. To exploit this vulnerability, a cybercriminal can send a victim a valid link to the service they want to attack. Once a victim clicks on the link, the attacker can gain full control of the account, allowing them to perform any actions and gain access to any data stored in the account.

Yaniv Balmas, vice president of research at Salt Security, said that as the adoption of OAuth has increased, so too has the potential to use XSS to intercept web traffic intended for platforms such as ChatGPT.

XSS attacks have been employed by cybercriminals since the dawn of the web, but flaws that are created because of the way OAuth is implemented are now providing an opportunity for malicious actors to employ a well-known technique to access sensitive data, he added. OAuth has already become the de facto authorization/authentication protocol of the past decade. It is an open authorization protocol that gives applications the ability to provide other applications access to specific data without requiring a password. Instead, authorization tokens are used to prove an identity.

The potential to abuse OAuth given how widely employed it is, unfortunately, immense. End users are generally unaware when OAuth is being used to provide access to data between applications.

As a rule, cybercriminals rather than building custom malware will employ as many familiar tactics and techniques as possible available to compromise IT environments. XSS attacks remain commonplace because the level of skill required to abuse authorization protocols is relatively low. In fact, with the rise of generative artificial intelligence (AI), the level of expertise required to launch cyberattacks is only going to continue to decline.

Best Security Practices for Implementing OAuth

There are best security practices for implementing OAuth but not every website necessarily follows them. As a result, cybercriminals are now scanning for vulnerable implementations of OAuth, noted Balmas.

The one thing cybercriminals are especially adept at is finding ways to extend existing tactics and techniques in new ways, he added.

Cybersecurity teams should, of course, review their organizations’ implementations of OAuth. The application developers that implement this protocol may not have reviewed best security practices and it’s relatively easy to make a mistake. The challenge, as always, is finding the time to review every OAuth instance when there are a host of other potential vulnerabilities in need of remediation.

Nevertheless, web applications are still the most easily accessed targets any organization needs to defend. As such the level of vigilance required to secure them needs to be constant, especially as the new technologies to build them are regularly being added to an already complex mix.