The information of around 685 million Tinder, Western Union, Shopify, Yelp, and Imgur (among others) was at risk because of multiple DOM-XSS vulnerabilities found by vpnMentor on Branch.io domain while researching the client-side security state of dating apps.
Branch is an attribution platform designed to provide solutions which allow clients to track app usage stats across multiple devices, platforms, and channels.
The DOM-based cross-site scripting (XSS) vulnerability which put the data of more than 650 million users at risk was found by the vpnMentor research team on the go.tinder.com Tinder domain, with http://go.tinder.com/amp-iframe-redirect being the affected endpoint.
"DOM-based XSS vulnerability, also known as “type-0 XSS” is a class of cross-site scripting vulnerability that appears within the DOM," said vpnMentor in their analysis. "It is a type of attack wherein the attack payload is executed as a result of modifying the DOM environment in the victim’s browser, more so in a dynamic environment."
Branch.io fixed the multiple DOM-XSS vulnerabilities affecting the custom.bnc.lt domain
Moreover "In DOM-based XSS, the HTML source code and response of the attack will be exactly the same. This means the malicious payload cannot be found in the response, making it extremely difficult for browser-built in XSS mitigation features like Chrome’s XSS Auditor to perform."
After contacting Tinder via their responsible disclosure program, the researchers found out that the domain affected by multiple client-side security flaws was owned by Branch.io and it redirected to custom.bnc.lt.
Following this discovery, vpnMentor also found out that the insecure endpoint was being used by a lot more other websites, with Western Union, Shopify, Yelp, RobinHood, Canva, Cuvva, Lookout, fair.com, and Imgur among the most notable ones.
Branch.io fixed the DOM-XSS vulnerability since then, but users of the affected websites are still recommended to reset their passwords to avoid having their information or account compromised.