Tinder users were at risk of having their profiles breached by hackers due to multiple XSS vulnerabilities, according to a team of researchers.
A vulnerable endpoint operated by branch.io, a global attribution platform, resulted in multiple XSS vulnerabilities being introduced to a slew of household name websites. The company has now issued a patch after being contacted via Tinder’s responsible disclosure program.
"Our team of security researchers was researching dating apps client-side security, and one of the main focus targets was Tinder. A Tinder domain with multiple client-side security issues was found – meaning hackers could have access to users’ profiles and details. We learned that the vulnerable endpoint isn’t owned by Tinder, but by branch.io. The Tinder security team helped us get in touch with them, and accordingly, they’ve put out a timely patch", said the researchers from vpnMentor in a blogpost.
Branch.io provides services to companies including Tinder, Shopify, Yelp, Western Union, and Imgur, a lengthy client list that potentially put up to 685 million users at risk from the vulnerability.
The DOM-based XSS vulnerability discovered is also known as "type-0 XSS" is a type of attack that sees the attack payload executed as a result of modifying the DOM environment in the victim’s browser. Because the HTML source code and response of the attack will be exactly the same, the malicious payload cannot be found in the response. This makes the DOM-based XSS vulnerability particularly severe, as browser-based mitigation measures tend to struggle to detect the attack.
Adam Brown, manager of security solutions at Synopsys told SC Media UK that: "This vulnerability (XSS) allows attackers to run their malicious code in victims’ browsers.
As this vulnerability has been known about for many years, and is currently ranked as #7 in the OWASP top 10, it’s surprising that Branch.io did not detect it since modern tools should find it. Also it shows that the data controllers along the way (Tinder et al) are likely not assessing their vendors platforms to necessary depth for application vulnerabilities.
"All of these organisations should adopt or mature their software security initiative. BSIMM 9 released this month is a free share and share alike document that can help organisations do exactly this. I would recommend the software security groups in these organisations pay attention to it."
Joseph Carson, Chief Security Scientist at Thycotic confirmed SC Media UK that the issue was particularly severe: "This is a serious bug and any company using the vulnerable version should patch it ASAP, failure to patch this bug adequately could expose companies to financial penalties under the EU GDPR for failure to protect and secure personal identifiable information (PII). This incident is another reminder to be very careful when registering to internet services and be aware of what exact information you are providing and ensure that you only provide the minimum required as this will help limit the impact of such data breaches."
Rusty Carter, VP of Product Management at Arxan commented in a statement: "The DOM-XSS vulnerabilities found in Tinder, Shopify, Yelp, Western Union, and Imgur, and the data exposure risks created by them, exemplifies the risks that consumers are exposed to in browser-based applications. Consumers' data is being exposed from applications at an alarming rate, and the rise in visibility of browser-app vulnerabilities underscores the need for businesses to focus their attention on securing the browser-applications as they run on end-consumer devices.
"What is a stark reality in these latest vulnerabilities and attacks is that network infrastructure does not address these issues. WAF, NGFW, IPS and other network-based security systems are critical to a business’s overall security posture, but they are not addressing the massive vulnerabilities at the endpoint", he summarised.