The newly discovered DOM-XSS vulnerability affects Tinder, Shopify, Yelp and many others
- Hackers could exploit the vulnerability to access user profile information and other details from the impacted application.
- About 685 million users who have been using these applications could be at risk.
A newly discovered DOM-based XSS vulnerability affects applications such as Tinder, Shopify, Yelp, Western Union and Imgur. Hackers could exploit the vulnerability to access user profile information and other details from the impacted application. About 685 million users who have been using these applications could be at risk.
Security researchers at vpnMentor discovered the vulnerability while researching client-side security implementation for dating apps. The main focus was with the Tinder application. After the initial steps of research, they did find multiple client-side security issues with the Tinder application.
However, when researchers contacted Tinder security team and notified about the vulnerabilities, they found out that the vulnerable endpoint was not owned by Tinder, but by branch.io, that provides attribution platforms used by many companies from around the world.
About the vulnerability
According to vpnMentor blog-post, DOM-XSS vulnerability or “type-0 XSS” is a cross-site scripting vulnerability that appears within the DOM. An attacker can exploit this vulnerability to modify the DOM environment in the target's browser, resulting in the desired response based on the HTML source code. The malicious payload cannot be found in the response, making mitigation features difficult.
vpnMentor researches said, “The fact that the vulnerability is DPM based and branch.io still isn’t using CSP made these vulnerabilities easy to exploit in any browser we like.”
Branch’s security team has now fixed the vulnerability for all the domains.
The bug affects many other websites and applications
After vpnMentor researchers notify about the vulnerability, Tinder security team launched an investigation and found out that the go.tinder.com domain was actually an alias for custom.bnc.lt, one of the resources of Branch.io.
Security researchers also found out many other website and applications that shared the
branch.io vulnerable endpoint in their code and domains. Some of the affected websites include RobinHood, Shopify, Canva, Yelp, Western Union, Letgo, Cuvva, imgur, Lookout, fair.com and much more.
The vulnerability has affected as many as 685 million users who were using the impacted services, estimated vpnMentor researchers.
While the flaw has already been fixed, users who have recently used Tinder or any of the other affected sites, we recommend that a check should be performed to ensure that your account hasn’t been compromised. It’s a good idea to change application and domain password ASAP.