Flaws in Branch.io Affected Over 685 Million Users

[nir]

More than 685 million user have been affected by a security flaw in the Branch.io service which was used by Tinder, Shopify and many other web services. The flaw was due to a DOM-XSS Bug that was affecting Tinder, Shopify, Yelp and many other dating applications. The flaws were disclosed by the Security Researchers at the VPNMentor.
 

Researchers have also suggested that the flaw may have been taken advantage to gain access to user profiles of Tinder users. “After initial examination steps were done, a Tinder domain with multiple client-side security vulnerabilities was found – meaning hackers could have access to users’ profiles and details.

Did the Company Fix the Vulnerability?

The company has started working on fixing the vulnerability immediately after they were informed about the flaw. Although the vulnerable endpoint is not owned by Tinder but by branch.io, a platform which is used for the attribution by some of the large corporations throughout the world.

“We learned that the vulnerable endpoint isn’t owned by Tinder, but by branch.io, an attribution platform used by many big corporations around the globe. The Tinder security team helped us get in touch with them, and accordingly, they’ve put out a timely patch.”

The company’s security team have also launched an investigation and found that go.tinder.com is an alias which is currently owned by Branch.io and customer.bnc.it.
 

Branch.io provides a mobile linking platform to unify user experience across multiple devices, platforms and channels. Also, some of the big names like Yelp, Western Union, Shopify, RobinHood, Letgo, Imgur, Lookout, fair, Cuvva use the same URL endpoint as the alias point.

How many users were affected?

According to analysis, the flaw might have affected over 685 million users using the vulnerable devices. The DOM-based XSS discovered by the experts is very easy to exploit in many web browsers as researchers pointed out the Brach.io’s Content Security Policy.

“Digging deeper, we found out many big websites were sharing the vulnerable endpoint in their code and domains, including Shopify, Yelp, Western Union, and Imgur. This means that as many as 685 million users could be at risk.” continues the experts.
 

“While the flaw has already been fixed, if you have recently used Tinder or any of the other affected sites, we recommend checking to make sure your account hasn’t been compromised. It’s a good idea to change your password ASAP.”

Source