The fix for the DOM-based XSS in Branch.io introduced a new XSS flaw
23.10.2018 securityaffairs Vulnerebility
The security patch for the recently disclosed cross-site scripting (XSS) vulnerability in Branch.io has introduced another similar XSS vulnerability.
According to the security researcher Linus Särud, the security fix for the recently disclosed cross-site scripting (XSS) vulnerability in Branch.io has introduced another similar XSS vulnerability.
The Branch.io company provides the leading mobile linking platform, with solutions that unify user experience and measurement across different devices, platforms, and channels.
The service is used by many popular web services, including Tinder, imgur, Shopify, and Yelp.
The flaw was disclosed a few days ago by the researchers at vpnMentor who explained that an attacker could have been exploited them to access Tinder users’ profiles.
“After initial reconnaissance steps were done, a Tinder domain with multiple client-side security issues was found – meaning hackers could have access to users’ profiles and details.
Immediately after finding these vulnerabilities, we contacted Tinder via their responsible disclosure program and started working with them.” reads the analysis published by vpnMentor.
“We learned that the vulnerable endpoint isn’t owned by Tinder, but by branch.io, an attribution platform used by many big corporations around the globe. The Tinder security team helped us get in touch with them, and accordingly, they’ve put out a timely patch.”
Now Särud discovered even after the deployment of the security patch it is possible to exploit a new XSS flaw using the payload for a flaw he discovered several months ago and that had been previously fixed.
“Almost a year ago, I started to look into the assets belonging to a company that are running a public bug bounty-program. One way of approaching a target is to look for plain HTML-files hosted on a site that is not normally built that way. This type of file often contains DOM-XSS vulnerabilities” reads the analysis of the expert.
“The purpose of the page seems to be to redirect to a mobile app. It takes the redirect-parameter, checks the protocol against a blacklist and if not found redirects to it.”
The researchers discovered the initial vulnerability on a page apparently designed to redirect to a mobile app, it would check the redirect parameter against a blacklist and if not found redirects to it.
The expert discovered that it is possible to bypass the blacklist using an empty protocol, then he devised a working exploit for Safari and reported the issue to the most popular websites that used Branch.io.
The expert notified the issue to Branch.io, referenced in the report as a “SaaS vendor,” but the company addressed it with a temporary fix.
After the publication of the security advisory from vpnMentor, Särud noticed that the temporary fix was replaced with a permanent one that introduced the new XSS-vulnerabilities.
“Fast forward some months, and I received a link to vpnMentor’s write-up which shows that the temporary fix had been replaced with a more permanent one. However that in turn resulted in new XSS-vulnerabilities, this time found by vpnMentor.” Särud explained.
“What makes everything interesting is that the initial payload still worked, even after the vulnerabilities found by vpnMentor had been resolved. The fix for the second vulnerability was still vulnerable to a third vulnerability, using the very same payload as in the first report,”
The flaw recently introduced is no longer pure DOM-based XSS, it is now reflected server side but the researchers confirmed it works more or less in the same way.
“The solution of fixing the third vulnerability was now to add ‘ ‘ and ‘:’ to the blacklist,” Särud said.
“It is most likely this function need to support a lot of different custom app protocols making it more or less impossible to use a whitelist instead of a blacklist, an approach that otherwise would been strongly recommended.”
The expert concluded that despite Apple was notified on the protocol bug when it was discovered for the first time, the attack still works in the latest version of Safari for macOS and iOS.