Mais de 685 milhões de utilizadores podem ter sido expostos a ataques XSS devido a uma falha no serviço Branch.io usado pelo Tinder, Shopify, entre outros.
As falhas foram divulgadas há alguns dias pelos investigadores da vpnMentor, que explicaram que um atacante podia explorar a falha de forma a aceder de forma ilegal a perfis do Tinder dos utilizadores.
“After initial reconnaissance steps were done, a Tinder domain with multiple client-side security issues was found – meaning hackers could have access to users’ profiles and details.
Immediately after finding these vulnerabilities, we contacted Tinder via their responsible disclosure program and started working with them.” reads the analysis published by vpnMentor.
“We learned that the vulnerable endpoint isn’t owned by Tinder, but by branch.io, an attribution platform used by many big corporations around the globe. The Tinder security team helped us get in touch with them, and accordingly, they’ve put out a timely patch.”
A equipe de segurança do Tinder imediatamente iniciou uma investigação e descobriu que o domínio go.tinder.com era na verdade um alias para Branch.io-owned custom.bnc.lt.
Um grande número de grandes empresas usa um alias para apontar o custom.bnc.lt, nomeadamente a Yelp, Western Union, Shopify, RobinHood, Letgo, imgur, Lookout, fair.com e Cuvva.
Segundo o vpnMentor, as falhas podem ter afetado até 685 milhões de pessoas que utilizavam os serviços vulneráveis.
O DOM based XSS descoberto pelos investigador era de fácil exploração em muitos navagadores web. Os investigadores apontaram que o Branch.io não usou umaContent Security Policy (CSP).
Os investigadores sugerem que todos os utilizadores alterem as suas palavras-passe como medidas de precaução.
“Digging deeper, we found out many big websites were sharing the vulnerable endpoint in their code and domains, including Shopify, Yelp, Western Union, and Imgur. This means that as many as 685 million users could be at risk.” continues the experts.
“While the flaw has already been fixed, if you have recently used Tinder or any of the other affected sites, we recommend checking to make sure your account hasn’t been compromised. It’s a good idea to change your password ASAP.”
Detalhes adicionais sobre a investigação podem ser vistos aqui.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.