A critical vulnerability in Branch.io may have exposed millions of users to cross-site scripting (XSS) attacks
A critical vulnerability in Branch.io may have exposed millions of users to cross-site scripting (XSS) attacks. Branch.io is service used by popular companies such as Shopify, Tinder, Yelp, Western Union, and Imgur and impact around 685 million people. The DOM-based XSS vulnerability was discovered by security researchers at vpnMentor and said that attacker could exploit the vulnerability to users profile and details in Tinder. Researchers said they discovered a Tinder domain with multiple client-side security issues which allow attackers to access Tinder user’s profiles. After discovering the flaw researchers contacted Tinder and coordinately investigated with them. In the investigation, it was discovered that “go.tinder.com is an alias for custom.bnc.lt, a Branch.io resource. And many other companies have their alias pointing to it.” The researcher notified the company with the help of Tinder and patch was released immediately. A DOM-based XSS flaw which is also known as “type-0 XSS”. It is cross-site scripting flaw found inside the DOM. In this attack, the payload is executed by modifying the DOM environment in the target browser in a dynamic environment. The HTML source code and response of attack will be exactly the same. “This means the malicious payload cannot be found in the response, making it extremely difficult for browser-built in XSS mitigation features like Chrome’s XSS Auditor to perform.” Since the flaw is is DPM based and branch.io still doesn’t use CSP make it easy to exploit in any web browsers. The company has patched the flaw and user are advised to change their passwords on their accounts and check for any suspicious activities in their accounts. For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin and Twitter.
You may be interested in reading:Google Shutdowns Google+ After Bug Exposed User Data of 500,000 Users