685 Million Users Exposed to XSS Attacks Due to Flaws in Branch.io Service

[cageymaru]

Websites such as Western Union, Tinder, Shopify, Yelp, Imgur, and more have been exposing their customers to XSS attacks due to a flaw in the Branch.io service used by major corporations around the world. "The Branch.io company provides the leading mobile linking platform, with solutions that unify user experience and measurement across different devices, platforms, and channels." The vpnMentor blog explains that the DOM-based XSS vulnerability would have worked on many different browsers and show how it could have been easily exploited. It is recommended that users change their passwords.

The fact that the vulnerability is DPM based and branch.io still isn't using CSP made these vulnerabilities easy to exploit in any browser we like. This meant that by modifying redirect strategy to a specially crafted payload to manipulate the DOM. go.tinder.com is an alias for custom.bnc.lt, a Branch.io resource. And many other companies have their alias pointing to it. Thanks to the fast response we got from Branch's security team, this vulnerability has now been fixed for everyone's domains.

 

[arnemetis]

As time goes on, more and more of people's lives will be spent changing passwords regularly to combat all of these exploits. How long before the daily morning consists of wake up, take a shower, drink some coffee, change 40 passwords?

 

[Dead Parrot]

If the code isn't ran from your own domain, security is near impossible to verify.

 

[Spidey329]

As time goes on, more and more of people's lives will be spent changing passwords regularly to combat all of these exploits. How long before the daily morning consists of wake up, take a shower, drink some coffee, change 40 passwords?

It's why I use a unique password for everything now. That way I just have to change the one or two new leaks every morning.

 

[clockdogg]

If the code isn't ran from your own domain, security is near impossible to verify.

Pretty sure Google will want to ban cross-site scripting for the benefit of the web. Oh....wait....

 

[Messy]

MAN I LOVE THE DECENTRALIZED IDEA BEHIND THE INTERNET! LET'S CENTRALIZE EVERYTHING THROUGH GATEWAYS...

**ahem**

 

[aaronspink]

There's a reason I run noscript. XSS is quite simply the dumbest thing possible. There just isn't any need for it. In a reasonable software world, almost all XSS software would be run local with basically zero impact to the servers using a measured repeatable build management system.

 

[Submarinesailor]

There's no comprehensive list in the sourced article, just a small listing in the technical paper.
"RobinHood, Shopify, Canva, Yelp, Western Union, Letgo, Cuvva, imgur, Lookout, fair.com and more."