DOM-based XSS Vulnerability Affected 685 Million Users of Tinder, Shopify, Western Union, and Imgur

Security researchers from VPNMentor detected multiple client-side vulnerabilities that allow hacker’s to access users’ profiles and details.

DOM-based XSS also called as type-0 XSS, this vulnerability allows an attacker to craft a malicious URL and if the URL visited by another user, then the javascript will be executed in the user’s browser.

It allows an attacker to steal victim’s session token, login credentials, performing arbitrary actions and to capture the keystrokes.

VPNMentor notified Tinder about the vulnerabilities through their responsible disclosure program. With further analysis, VPNMentor researchers learned that vulnerable endpoint isn’t owned by Tinder, but by branch.io, an attribution platform used by many big corporations around the globe.

They also found that the same vulnerable endpoint was used by many big websites such as Shopify, Yelp, Western Union, and Imgur which puts 685 million users could be at risk.

DOM-based XSS – Redirection Strategy and Validation Bypass

The researchers initial finding was with the endpoint https://go.tinder.com/amp-iframe-redirect which prone to multiple vulnerabilities. With the displayed script redirect_strategy is “INJECTIONA” and scheme_redirect is “INJECTIONB” was found.

client-side vulnerabilitiesclient-side vulnerabilities

Attackers can modify the redirect_strategy to a dom-XSS payload results in the execution of client-side code with the context of Tinder in the user browser.

Also, researchers observed the validation functions can be bypassed because indexOf will find “https://“

Researchers named few sites affected with the vulnerability such as RobinHood, Shopify, Canva, Yelp, Western Union, Letgo, Cuvva, imgur, Lookout, fair.com and more.

Now the vulnerability has been fixed if you have used Tinder or any of the other affected sites recently, it recommended to ensure that your account hasn’t been compromised. It’s a good idea to change your password ASAP.”

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

2 hours ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

3 hours ago

GenAI Assistant DIANNA Uncovers New Obfuscated Malware

Deep Instinct’s GenAI-powered assistant, DIANNA, has identified a sophisticated new malware strain dubbed BypassERWDirectSyscallShellcodeLoader. This…

3 hours ago

Hackers Expose 184 Million User Passwords via Open Directory

A major cybersecurity incident has come to light after researcher Jeremiah Fowler discovered a publicly…

3 hours ago

New Formjacking Malware Targets E-Commerce Sites to Steal Credit Card Data

A disturbing new formjacking malware has emerged, specifically targeting WooCommerce-based e-commerce sites to steal sensitive…

4 hours ago

GitLab Duo Vulnerability Exploited to Inject Malicious Links and Steal Source Code

A security vulnerability was recently discovered in GitLab Duo, the AI-powered coding assistant integrated into…

4 hours ago