685 Million Users Exposed to XSS Attacks Due to Flaws in Branch.io Service

Discussion in 'HardForum Tech News' started by cageymaru, Oct 15, 2018.

  1. cageymaru

    cageymaru [H]ard as it Gets

    Messages:
    19,814
    Joined:
    Apr 10, 2003
    Websites such as Western Union, Tinder, Shopify, Yelp, Imgur, and more have been exposing their customers to XSS attacks due to a flaw in the Branch.io service used by major corporations around the world. "The Branch.io company provides the leading mobile linking platform, with solutions that unify user experience and measurement across different devices, platforms, and channels." The vpnMentor blog explains that the DOM-based XSS vulnerability would have worked on many different browsers and show how it could have been easily exploited. It is recommended that users change their passwords.

    The fact that the vulnerability is DPM based and branch.io still isn't using CSP made these vulnerabilities easy to exploit in any browser we like. This meant that by modifying redirect strategy to a specially crafted payload to manipulate the DOM. go.tinder.com is an alias for custom.bnc.lt, a Branch.io resource. And many other companies have their alias pointing to it. Thanks to the fast response we got from Branch's security team, this vulnerability has now been fixed for everyone's domains.
     
  2. arnemetis

    arnemetis 2[H]4U

    Messages:
    2,684
    Joined:
    Aug 2, 2004
    As time goes on, more and more of people's lives will be spent changing passwords regularly to combat all of these exploits. How long before the daily morning consists of wake up, take a shower, drink some coffee, change 40 passwords?
     
    Eshelmen, Esso and cageymaru like this.
  3. Dead Parrot

    Dead Parrot 2[H]4U

    Messages:
    2,519
    Joined:
    Mar 4, 2013
    If the code isn't ran from your own domain, security is near impossible to verify.
     
  4. Spidey329

    Spidey329 [H]ardForum Junkie

    Messages:
    8,676
    Joined:
    Dec 15, 2003
    It's why I use a unique password for everything now. That way I just have to change the one or two new leaks every morning.
     
    DrezKill and Messy like this.
  5. clockdogg

    clockdogg Gawd

    Messages:
    912
    Joined:
    Dec 12, 2007
    Pretty sure Google will want to ban cross-site scripting for the benefit of the web. Oh....wait....
     
    painintheworld likes this.
  6. Messy

    Messy Limp Gawd

    Messages:
    163
    Joined:
    Feb 11, 2004
    MAN I LOVE THE DECENTRALIZED IDEA BEHIND THE INTERNET! LET'S CENTRALIZE EVERYTHING THROUGH GATEWAYS...

    **ahem**
     
    clockdogg likes this.
  7. aaronspink

    aaronspink 2[H]4U

    Messages:
    2,122
    Joined:
    Jun 7, 2004
    There's a reason I run noscript. XSS is quite simply the dumbest thing possible. There just isn't any need for it. In a reasonable software world, almost all XSS software would be run local with basically zero impact to the servers using a measured repeatable build management system.
     
    Shaten and painintheworld like this.
  8. Submarinesailor

    Submarinesailor [H]Lite

    Messages:
    71
    Joined:
    Mar 23, 2016
    There's no comprehensive list in the sourced article, just a small listing in the technical paper.
    "RobinHood, Shopify, Canva, Yelp, Western Union, Letgo, Cuvva, imgur, Lookout, fair.com and more."