Users of Tinder, Shopify, Yelp and others are threatened in their security. Security researchers at vpnMentor have discovered a DOM-XSS bug that allows them to extract information about other users via apps or websites concerned. Potentially 685 million users are affected by this vulnerability.
Yesterday vpnMentor sent me an email about this issue. A team of security researchers from vpnMentor was investigating dating apps from the client side on the security issue. One of the main goals was of course the provider Tinder and its dating app. A frightening vulnerability was discovered that threatens 685 million users.
Tinder with security problems?
After the first steps, the security researchers found a Tinder domain that had several client-side security problems. This allowed hackers to gain access to user profiles and details. Immediately after these vulnerabilities were discovered, security researchers contacted Tinder through their disclosure program and began work with their security officers.
branch.io caused the vulnerability
During the discussion with Tinder, it came out that branch.io is responsible for the vulnerable domain. This is a platform used by many large companies around the world. The Tinder security team helped the security researchers get in touch with branch.io. branch.io has published a patch in the meantime.
Many vendors affected by the vulnerability
As security researchers continued their research, they found that many large Web sites were using the vulnerable endpoint in their code and domains. Affected sites include Shopify, Yelp, Western Union and Imgur. This means that up to 685 million users could be affected and compromised by the DOM-XSS vulnerability.
While the bug has already been fixed, security researchers recommend that users who have recently used Tinder or any of the other affected sites review them to ensure that their account has not been compromised. In addition, it might be a good idea to change the password for those services as soon as possible.
Cookies helps to fund this blog: Cookie settings