685 million users may be affected by the Branch.io service XSS vulnerability
Hundreds of millions of users may have been exposed to cross-site scripting (XSS) attacks due to vulnerabilities in the services Branch.io used by Tinder, Shopify, Yelp and many others.
When vpnMentor researchers analysed Tinder and other applications, they found a Tinder domain, go.tinder.com, which had multiple XSS vulnerabilities. vpnMentor said that these vulnerabilities could be used to access Tinder users’ profiles. However, in most cases, exploiting XSS defects requires the target to click on a specially crafted link.
Image: vpnmentor
After receiving the vulnerability notification, Tinder’s security team initiated the investigation and determined that the go.tinder.com domain is an alias for the Branch.io resource custom.bnc.lt.
Branch.io is a California-based company that provides analytical assistance to organisations such as businesses, recommending systems, creating deep links, and more. Also, several large companies have the same attack endpoints because of the use of Branch.io resources, such as Yelp, Western Union, Shopify, RobinHood, Letgo, imgur, Lookout, fair.com, and Cuvva.
Researchers at the VPN company estimate that these vulnerabilities may have affected 685 million people using related services. Although security vulnerabilities have been patched and there is no evidence that user profiles have been maliciously exploited, vpnMentor still believes users should change their passwords as a precaution. Experts say that because Branch.io fails to use the Content Security Policy (CSP), it is easy to exploit DOM-based XSS vulnerabilities in many Web browsers.
“DOM-based XSS vulnerability, also known as “type-0 XSS” is a class of cross-site scripting vulnerability that appears within the DOM. It is a type of attack wherein the attack payload is executed as a result of modifying the DOM environment in the victim’s browser, more so in a dynamic environment. In DOM-based XSS, the HTML source code and response of the attack will be exactly the same. This means the malicious payload cannot be found in the response, making it extremely difficult for browser-built in XSS mitigation features like Chrome’s XSS Auditor to perform.”
Even though the bug has been fixed, the researchers still recommend that users who have recently used Tinder or any other affected site change their passwords in time to improve security.