It allows an attacker to steal victim’s session token, login credentials, performing arbitrary actions and to capture the keystrokes.
VPNMentor notified Tinder about the vulnerabilities through their responsible disclosure program. With further analysis, VPNMentor researchers learned that vulnerable endpoint isn’t owned by Tinder, but by branch.io, an attribution platform used by many big corporations around the globe.
DOM-based XSS – Redirection Strategy and Validation Bypass
The researchers initial finding was with the endpoint https://go.tinder.com/amp-iframe-redirect which prone to multiple vulnerabilities. With the displayed script redirect_strategy is “INJECTIONA” and scheme_redirect is “INJECTIONB” was found.
Attackers can modify the redirect_strategy to a dom-XSS payload results in the execution of client-side code with the context of Tinder in the user browser.
Also, researchers observed the validation functions can be bypassed because indexOf will find “https://“
Researchers named few sites affected with the vulnerability such as RobinHood, Shopify, Canva, Yelp, Western Union, Letgo, Cuvva, imgur, Lookout, fair.com and more.
Now the vulnerability has been fixed if you have used Tinder or any of the other affected sites recently, it recommended to ensure that your account hasn’t been compromised. It’s a good idea to change your password ASAP.”