Branch.io Flaws may have affected as many as 685 million individuals

More than 685 million users may have been exposed to XSS attacks due to a flaw in Branch.io service used by Tinder, Shopify, and many others.

Security Affairs was the first to publish the news of a DOM-XSS Bug Affecting Tinder, Shopify, Yelp, and other dating application.

The flaws were disclosed a few days ago by the researchers at vpnMentor who explained that an attacker could have been exploited them to access Tinder users’ profiles.

“After initial reconnaissance steps were done, a Tinder domain with multiple client-side security issues was found – meaning hackers could have access to users’ profiles and details.

Immediately after finding these vulnerabilities, we contacted Tinder via their responsible disclosure program and started working with them.” reads the analysis published by vpnMentor.

“We learned that the vulnerable endpoint isn’t owned by Tinder, but by branch.io, an attribution platform used by many big corporations around the globe. The Tinder security team helped us get in touch with them, and accordingly, they’ve put out a timely patch.”

Tinder’s security team immediately launched an investigation and discovered that the go.tinder.com domain was actually an alias for Branch.io-owned custom.bnc.lt.

The Branch.io company provides the leading mobile linking platform, with solutions that unify user experience and measurement across different devices, platforms, and channels.

A large number of major firms uses an alias to point the same custom.bnc.lt, including Yelp, Western Union, Shopify, RobinHood, Letgo, imgur, Lookout, fair.com and Cuvva, vpnMentor said.

According to vpnMentor, the flaws may have affected as many as 685 million individuals using the vulnerable services.

The DOM-based XSS discovered by the experts would have been easy to exploit in many web browsers, researchers pointed out that Branch.io’s failed to use a Content Security Policy (CSP).

Branch.io flaw

The experts urge users to change their passwords as a precaution.

“Digging deeper, we found out many big websites were sharing the vulnerable endpoint in their code and domains, including Shopify, Yelp, Western Union, and Imgur. This means that as many as 685 million users could be at risk.” continues the experts.

“While the flaw has already been fixed, if you have recently used Tinder or any of the other affected sites, we recommend checking to make sure your account hasn’t been compromised. It’s a good idea to change your password ASAP.”

Additional technical details are included in the analysis published by the experts.

Pierluigi Paganini

(Security Affairs – Branch.io, hacking)


Share On

Similar Articles:

What Prevents Good Cybersecurity and Privacy Behaviors?

What Prevents Good Cybersecurity and Privacy Behaviors?

Bitwarden Completes Third-party Security Audit – Bitwarden Blog

Bitwarden Completes Third-party Security Audit – Bitwarden Blog

Why “Cyber” is Red-Hot (and why it’s a Burning Civil Liberties Issue) - BC Civil Liberties Association

Why “Cyber” is Red-Hot (and why it’s a Burning Civil Liberties Issue) - BC Civil Liberties Association

Google 'Titan Security Key' Is Now On Sale For $50

Google 'Titan Security Key' Is Now On Sale For $50