685 million users may be affected by the Branch.io service XSS vulnerability

Oct 16, 2018Elley
Learn more about 360 Total Security

Hundreds of million users may have been exposed to cross-site scripting (XSS) attacks due to vulnerabilities in the Branch.io services used by Tinder, Shopify, Yelp and many others.

When the researchers analyzed Tinder and other applications, they found a Tinder domain, go.tinder.com, which had multiple XSS vulnerabilities. The researchers said that these vulnerabilities could be used to access Tinder users’ profiles. However, in most cases, exploiting XSS defects requires the target to click on a specially crafted link.

After receiving the vulnerability notification, Tinder’s security team initiated the investigation and determined that the go.tinder.com domain is actually an alias for the Branch.io resource custom.bnc.lt.

Branch.io is a California-based company that provides analytical assistance to organizations such as businesses, recommending systems, creating deep links, and more. In addition, there are several large companies that have the same attack endpoints because of the use of Branch.io resources, such as Yelp, Western Union, Shopify, RobinHood, Letgo, imgur, Lookout, fair.com, and Cuvva.

It is estimated that these vulnerabilities may have affected 685 million people using related services. Although security vulnerabilities have been patched and there is no evidence that user profiles have been maliciously exploited, the researchers still believe users should change their passwords as a precaution. Experts say that because Branch.io fails to use Content Security Policy (CSP), it is easy to exploit DOM-based XSS vulnerabilities in many Web browsers.

“[DOM-based XSS] is an attack where the attack payload is the result of modifying the DOM environment in the victim’s browser, especially in a dynamic environment,” vpnMentor said in a blog post. “In DOM-based XSS, the HTML source code and attack response will be exactly the same. This means that malicious load cannot be found in the response, which makes the browser’s built-in XSS mitigation features (such as Chrome’s XSS Auditor) difficult to execute.”

Even though the bug has been fixed, the researchers still recommend that users who have recently used Tinder or any other affected sites should change their passwords in time to improve security.

Learn more about 360 Total Security