Malicious actors can leverage the XSS flaw in Hotjar combined with OAuth technology by sending a seemingly valid link to the target. Once clicked, full account control is granted, allowing access to sensitive data and actions.
Hotjar's extensive data collection, storing PII, bank details, and private messages, poses a significant risk. The services' widespread use, including by major corporations, amplifies the potential impact of security vulnerabilities.
Despite the focus on Hotjar, researchers suggest that the combination of popular OAuth usage and prevalent XSS issues likely means similar vulnerabilities may exist across various web services, posing a broad security risk.
[
Collection
]
[
|
...
]