[HardOCP] 685 Million Users Exposed to XSS Attacks Due to Flaws in Branch.io Service - Overclock.net - An Overclocking Community
Forum Jump: 

[HardOCP] 685 Million Users Exposed to XSS Attacks Due to Flaws in Branch.io Service

Reply
 
Thread Tools
post #1 of 13 (permalink) Old 10-15-2018, 06:38 PM - Thread Starter
Taking a break
 
iamjanco's Avatar
 
Join Date: Aug 2016
Posts: 2,518
Rep: 145 (Unique: 66)
[HardOCP] 685 Million Users Exposed to XSS Attacks Due to Flaws in Branch.io Service

Quote:
Websites such as Western Union, Tinder, Shopify, Yelp, Imgur, and more have been exposing their customers to XSS attacks due to a flaw in the Branch.io service used by major corporations around the world. "The Branch.io company provides the leading mobile linking platform, with solutions that unify user experience and measurement across different devices, platforms, and channels." The vpnMentor blog explains that the DOM-based XSS vulnerability would have worked on many different browsers and show how it could have been easily exploited. It is recommended that users change their passwords.
Source.

Muffler Bearings
(24 items)
CPU
i9-7900X, i9-10940x
Motherboard
Asus Rampage VI Extreme
Motherboard
EVGA X299 DARK
GPU
EVGA GeForce RTX 2080 Ti XC
GPU
(2 ea) EVGA GTX 1080 Ti FTW3
RAM
G.SKILL F4-3200C14Q2-64GTZ
Hard Drive
(2ea) Intel Optane 900P (480GB)
Hard Drive
(2ea) Samsung 850 Pro 1TB
Hard Drive
(2ea) Samsung 850 Pro 256GB
Hard Drive
(2ea) Samsung 970 Pro 512GB
Hard Drive
(1ea) Samsung 950 Pro 256GB
Power Supply
EVGA SuperNOVA 1600 T2
Cooling
Custom water
Case
Custom, 8020x3060 and x2020
Operating System
Win 10 Pro/Ubuntu
Monitor
NEC PA272W-BK-SV
Monitor
Eizo ColorEdge CE240W
Monitor
Alienware AW3418DW
Keyboard
Ergodox EZ with Kailh Thick Gold (Bronze) and Copper switches
Audio
Bottlehead Mainline Amp
Audio
RME ADI-2 Pro FS 2-in/4-out AD/DA Converter
Audio
FOCAL Clear Professional Headphones
Audio
Mr. Schpeakers ETHER C Flow 1.1 Headphones
Other
Protectli Firewall Micro Appliance With 6x Intel Gigabit Ports, Intel i5 7200U, AES-NI
Other
Misc. see build description for details
▲ hide details ▲


iamjanco is offline  
Sponsored Links
Advertisement
 
post #2 of 13 (permalink) Old 10-15-2018, 09:00 PM
*cough*Stock*cough*
 
Join Date: Jul 2010
Location: in my mancave
Posts: 3,102
Rep: 230 (Unique: 200)
685 mil? Damn, thats gotta be a new record.

Carter, can you explain that in *English*?
Leviathan
(17 items)
Cheapshot Reborn
(8 items)
Charred
(10 items)
CPU
Xeon E5-2690
Motherboard
Biostar TPower X79
GPU
PNY GTX 660 2GB
GPU
Dell GTX 645
RAM
Gskill Ripjaws 4x2GB 1600mhz
Hard Drive
Seagate Barracuda 500GB
Hard Drive
Seagate Barracuda 1.5TB
Hard Drive
Western Digital Caviar Blue 640GB
Hard Drive
Patriot Pyro 60GB
Power Supply
Seasonic G550
Cooling
Xigmatek Gaia
Case
Xclio Nighthawk
Operating System
Windows 7 Ultimate
Monitor
Acer S230HL
Monitor
Lenovo Thinkvision L171
Keyboard
Logitech K120
Mouse
Logitech MX310
CPU
Xeon X5650
Motherboard
Gigabyte X58A-UD3R
GPU
Asus GTX 460 1GB
RAM
Gskill PI 3x2GB DDR3-1600
Hard Drive
500GB Western Digital
Power Supply
EVGA 500B 500W Bronze
Cooling
Corsair H50
Operating System
Windows 7 Ultimate
CPU
AMD Phenom II x4 940
Motherboard
M3A78-EM
RAM
G.skill 2x2GB DDR2-800
RAM
OCZ 2x2GB DDR2-800
Hard Drive
Samsung Spinpoint 40GB
Hard Drive
Western Digital 1TB
Power Supply
Antec Neo ECO 400W
Cooling
Xigmatek Gaia
Case
Rosewill R102-P-BK Black
Operating System
Windows 7 Ultimate 64-bit
▲ hide details ▲


Cyrious is offline  
post #3 of 13 (permalink) Old 10-16-2018, 09:41 AM
Retired Staff
 
JedixJarf's Avatar
 
Join Date: Dec 2010
Location: Coruscant
Posts: 9,467
Rep: 305 (Unique: 244)
Good god this is why you always frontend every web facing portion of a page with a WAF


JedixJarf is offline  
Sponsored Links
Advertisement
 
post #4 of 13 (permalink) Old 10-17-2018, 01:12 PM
Needs more voltage
 
Flames21891's Avatar
 
Join Date: Jul 2008
Location: Lemoore, CA
Posts: 503
Rep: 36 (Unique: 34)
Quote: Originally Posted by JedixJarf View Post
Good god this is why you always frontend every web facing portion of a page with a WAF
Would that really have helped though? You're not really manipulating access to or from a page, you're injecting scripts that run client side. Please correct me if I'm wrong, I only recently got my Security+ cert so all my knowledge is based on the theoretical, haven't had a chance to put it into practice yet.

That said, there definitely should have been content policies to stop cross site scripting, seems really weird that there weren't any.

There are no problems, only solutions I have yet to enunciate.
Flames21891 is offline  
post #5 of 13 (permalink) Old 10-17-2018, 01:17 PM
Retired Staff
 
JedixJarf's Avatar
 
Join Date: Dec 2010
Location: Coruscant
Posts: 9,467
Rep: 305 (Unique: 244)
Quote: Originally Posted by Flames21891 View Post
Would that really have helped though? You're not really manipulating access to or from a page, you're injecting scripts that run client side. Please correct me if I'm wrong, I only recently got my Security+ cert so all my knowledge is based on the theoretical, haven't had a chance to put it into practice yet.

That said, there definitely should have been content policies to stop cross site scripting, seems really weird that there weren't any.
https://aws.amazon.com/about-aws/wha...tch-condition/ Here is some super high level basic info, but it paints the narritive.


JedixJarf is offline  
post #6 of 13 (permalink) Old 10-17-2018, 01:48 PM
Original 16-bit Genesis®
 
Omega X's Avatar
 
Join Date: Mar 2013
Location: That gap between the couch cushion.
Posts: 1,723
Rep: 67 (Unique: 44)
Who are the affected sites other than Yelp, Tinder, Shopify, Western Union and Imgur?
Omega X is offline  
post #7 of 13 (permalink) Old 10-17-2018, 02:38 PM
Retired Staff
 
JedixJarf's Avatar
 
Join Date: Dec 2010
Location: Coruscant
Posts: 9,467
Rep: 305 (Unique: 244)
Quote: Originally Posted by Omega X View Post
Who are the affected sites other than Yelp, Tinder, Shopify, Western Union and Imgur?
Probably any customer of Branch.io?


JedixJarf is offline  
post #8 of 13 (permalink) Old 10-17-2018, 03:01 PM
New to Overclock.net
 
bucdan's Avatar
 
Join Date: Jan 2006
Location: San Diego, CA
Posts: 6,142
Rep: 203 (Unique: 182)
Quote: Originally Posted by JedixJarf View Post
Good god this is why you always frontend every web facing portion of a page with a WAF
I'm surprised a big company like this didn't consider it.

Quote:
Originally Posted by holtzman go_quote.gif
Computer viruses are like herpes. You never think in a million years you'd get one... Till you do.
bucdan is offline  
post #9 of 13 (permalink) Old 10-17-2018, 04:46 PM
New to Overclock.net
 
HITTI's Avatar
 
Join Date: Oct 2014
Posts: 1,446
Rep: 17 (Unique: 17)
Changed pw on imgur.com, one of the best services ever.

Win10 x64 Pro, Acer XB240H, Corsair Obsidian 750D Black,DEMCifilter Corsair Obsidian 750D Dust Filter Kit,Delidded i7-3770K OC'[email protected], F3-12800CL8D-8GBXM, MSI GeForce GTX 960 2GD5, ASRock Z75 Pro3, EVGA SuperNOVA 750 G2 PSU, EK-KIT L240, 2 x NF-A14-FLX Fans, 2 x NF-F12 iPPC 2000, 2 x Samsung 840 Pro 128GB RAID 0 32KB strip, WD Re WD1003FBYZ 1TB,2TB HGST/Hitachi (HUA723020ALA641), Samsung SH-S223L. Schiit Magni3 & Modi3 and V-Moda M-100 Masters.


HITTI is offline  
post #10 of 13 (permalink) Old 10-17-2018, 07:51 PM
Needs more voltage
 
Flames21891's Avatar
 
Join Date: Jul 2008
Location: Lemoore, CA
Posts: 503
Rep: 36 (Unique: 34)
Quote: Originally Posted by JedixJarf View Post
https://aws.amazon.com/about-aws/wha...tch-condition/ Here is some super high level basic info, but it paints the narritive.
Okay, sorry to bug you guys once more but I'm about to learn something it seems and I just want to make sure I'm getting it right.

So a modern WAF is capable of keeping kind of a fingerprint database of XSS behavior so that it can detect common attack vectors, which you can then configure an ACL to actually handle (allow, deny or log) and the reason we know that one either wasn't being used or was very poorly configured is that this DOM XSS attack isn't a new or particularly special method of XSS and should have easily been picked up or blocked by a decent WAF. That about cover it?

There are no problems, only solutions I have yet to enunciate.
Flames21891 is offline  
Reply

Quick Reply
Message:
Options

Register Now

In order to be able to post messages on the Overclock.net - An Overclocking Community forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.
User Name:
If you do not want to register, fill this field only and the name will be used as user name for your post.
Password
Please enter a password for your user account. Note that passwords are case-sensitive.
Password:
Confirm Password:
Email Address
Please enter a valid email address for yourself.
Email Address:

Log-in



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page


Forum Jump: 

Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off