Saturday, December 2, 2023

DOM-based XSS Vulnerability Affected 685 Million Users of Tinder, Shopify, Western Union, and Imgur

Security researchers from VPNMentor detected multiple client-side vulnerabilities that allow hacker’s to access users’ profiles and details.

DOM-based XSS also called as type-0 XSS, this vulnerability allows an attacker to craft a malicious URL and if the URL visited by another user, then the javascript will be executed in the user’s browser.

It allows an attacker to steal victim’s session token, login credentials, performing arbitrary actions and to capture the keystrokes.

VPNMentor notified Tinder about the vulnerabilities through their responsible disclosure program. With further analysis, VPNMentor researchers learned that vulnerable endpoint isn’t owned by Tinder, but by, an attribution platform used by many big corporations around the globe.

They also found that the same vulnerable endpoint was used by many big websites such as Shopify, Yelp, Western Union, and Imgur which puts 685 million users could be at risk.

DOM-based XSS – Redirection Strategy and Validation Bypass

The researchers initial finding was with the endpoint which prone to multiple vulnerabilities. With the displayed script redirect_strategy is “INJECTIONA” and scheme_redirect is “INJECTIONB” was found.

client-side vulnerabilities

Attackers can modify the redirect_strategy to a dom-XSS payload results in the execution of client-side code with the context of Tinder in the user browser.

client-side vulnerabilities

Also, researchers observed the validation functions can be bypassed because indexOf will find “https://“

Researchers named few sites affected with the vulnerability such as RobinHood, Shopify, Canva, Yelp, Western Union, Letgo, Cuvva, imgur, Lookout, and more.

Now the vulnerability has been fixed if you have used Tinder or any of the other affected sites recently, it recommended to ensure that your account hasn’t been compromised. It’s a good idea to change your password ASAP.”


Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles