Now this might be going out on a limb, but here's how a branch.io bug left '685 million' netizens open to website hacks

Tinder subdomain flaw turns into massive everybody flaw

Bug-hunters have told how they uncovered a significant security flaw that affected the likes of Tinder, Yelp, Shopify, and Western Union – and potentially hundreds of millions of folks using these sites and apps.

The software sniffers said they first came across the exploitable programming blunder while digging into webpage code on dating websites. After discovering a Tinder.com subdomain – specifically, go.tinder.com – that had a cross-site scripting flaw, they got in touch with the hookup app's makers to file a bug report.

As it turned out, the vulnerability they discovered went far beyond one subdomain on a site for lonely hearts. The team at VPNMentor said the since-patched security hole had left as many as 685 million netizens vulnerable to cross-site-scripting attacks, during which hackers attempt to steal data and hijack accounts. To pull off one of these scripting attacks, a victim would have to click on a malicious link or open a booby-trapped webpage while logged into a vulnerable service.

That staggering nine-figure number is because the security issue was actually within a toolkit, called branch.io, that tracks website and app users to figure out where they've come from, be it Facebook, email links, Twitter, etc. With the bug lurking in branch.io's code and embedded in a ton of services and mobile applications, the number of people potentially at risk of being hacked via cross-site scripting soared past the half-a-billion mark, we're told.

"Immediately after finding these vulnerabilities, we contacted Tinder via their responsible disclosure program and started working with them," one of the bug-stalkers, Ariel Hochstadt, explained earlier this week. "We learned that the vulnerable endpoint isn’t owned by Tinder, but by branch.io, an attribution platform used by many big corporations around the globe."

Lloyd's Horse logo on building

Sealed with an XSS: IT pros urge Lloyds Group to avoid web cross talk

READ MORE

Among the sites found to be using the vulnerable components were reviews site Yelp, cash wiring biz Western Union, Shopify, and photo-sharing site Imgur, it is claimed. Hochstadt estimated the sites together handle around 685 million user accounts.

The bug itself was a particularly nasty form of DOM cross-site-scripting that would have let an attacker slip cross-site calls past basic security checks. "In DOM-based XSS, the HTML source code and response of the attack will be exactly the same," said Hochstadt. "This means the malicious payload cannot be found in the response, making it extremely difficult for browser-built in XSS mitigation features like Chrome’s XSS Auditor to perform."

A spokesperson for branch.io, which boasts of "over 2 billion monthly users across the globe," was not available to comment on the matter.

Hochstadt said it privately reported the issue to branch.io, which, we're told, was able to patch it, and there was no indication the flaw was being actively exploited at any point. Still, Hochstadt reckons users should consider changing their passwords, and keep a close eye on their accounts for an suspicious activity. ®




Biting the hand that feeds IT © 1998–2018