Sunday, May 4, 2025
HomeCyber Security NewsDOM-based XSS Vulnerability Affected 685 Million Users of Tinder, Shopify, Western Union,...

DOM-based XSS Vulnerability Affected 685 Million Users of Tinder, Shopify, Western Union, and Imgur

Published on

SIEM as a Service

Follow Us on Google News

Security researchers from VPNMentor detected multiple client-side vulnerabilities that allow hacker’s to access users’ profiles and details.

DOM-based XSS also called as type-0 XSS, this vulnerability allows an attacker to craft a malicious URL and if the URL visited by another user, then the javascript will be executed in the user’s browser.

It allows an attacker to steal victim’s session token, login credentials, performing arbitrary actions and to capture the keystrokes.

VPNMentor notified Tinder about the vulnerabilities through their responsible disclosure program. With further analysis, VPNMentor researchers learned that vulnerable endpoint isn’t owned by Tinder, but by branch.io, an attribution platform used by many big corporations around the globe.
- Advertisement - Google News

They also found that the same vulnerable endpoint was used by many big websites such as Shopify, Yelp, Western Union, and Imgur which puts 685 million users could be at risk.

DOM-based XSS – Redirection Strategy and Validation Bypass

The researchers initial finding was with the endpoint https://go.tinder.com/amp-iframe-redirect which prone to multiple vulnerabilities. With the displayed script redirect_strategy is “INJECTIONA” and scheme_redirect is “INJECTIONB” was found.

client-side vulnerabilities

Attackers can modify the redirect_strategy to a dom-XSS payload results in the execution of client-side code with the context of Tinder in the user browser.

client-side vulnerabilities

Also, researchers observed the validation functions can be bypassed because indexOf will find “https://“

Researchers named few sites affected with the vulnerability such as RobinHood, Shopify, Canva, Yelp, Western Union, Letgo, Cuvva, imgur, Lookout, fair.com and more.

Now the vulnerability has been fixed if you have used Tinder or any of the other affected sites recently, it recommended to ensure that your account hasn’t been compromised. It’s a good idea to change your password ASAP.”

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...