[HardOCP] 685 Million Users Exposed to XSS Attacks Due to Flaws in Branch.io Service - Overclock.net - An Overclocking Community

Forum Jump: 

[HardOCP] 685 Million Users Exposed to XSS Attacks Due to Flaws in Branch.io Service

Reply
 
Thread Tools
post #1 of 13 (permalink) Old 10-15-2018, 06:38 PM - Thread Starter
Head Dwarf
 
iamjanco's Avatar
 
Join Date: Aug 2016
Location: In a circus tent
Posts: 1,918
Rep: 86 (Unique: 56)
[HardOCP] 685 Million Users Exposed to XSS Attacks Due to Flaws in Branch.io Service

Quote:
Websites such as Western Union, Tinder, Shopify, Yelp, Imgur, and more have been exposing their customers to XSS attacks due to a flaw in the Branch.io service used by major corporations around the world. "The Branch.io company provides the leading mobile linking platform, with solutions that unify user experience and measurement across different devices, platforms, and channels." The vpnMentor blog explains that the DOM-based XSS vulnerability would have worked on many different browsers and show how it could have been easily exploited. It is recommended that users change their passwords.
Source.

...playin' the lead roll in a dwerg tossing contest.


iamjanco is offline  
Sponsored Links
Advertisement
 
post #2 of 13 (permalink) Old 10-15-2018, 09:00 PM
*cough*Stock*cough*
 
Join Date: Jul 2010
Location: in my mancave
Posts: 3,102
Rep: 230 (Unique: 200)
685 mil? Damn, thats gotta be a new record.

Carter, can you explain that in *English*?
Leviathan
(17 items)
Cheapshot Reborn
(8 items)
Charred
(10 items)
CPU
Xeon E5-2690
Motherboard
Biostar TPower X79
GPU
PNY GTX 660 2GB
GPU
Dell GTX 645
RAM
Gskill Ripjaws 4x2GB 1600mhz
Hard Drive
Seagate Barracuda 500GB
Hard Drive
Seagate Barracuda 1.5TB
Hard Drive
Western Digital Caviar Blue 640GB
Hard Drive
Patriot Pyro 60GB
Power Supply
Seasonic G550
Cooling
Xigmatek Gaia
Case
Xclio Nighthawk
Operating System
Windows 7 Ultimate
Monitor
Acer S230HL
Monitor
Lenovo Thinkvision L171
Keyboard
Logitech K120
Mouse
Logitech MX310
CPU
Xeon X5650
Motherboard
Gigabyte X58A-UD3R
GPU
Asus GTX 460 1GB
RAM
Gskill PI 3x2GB DDR3-1600
Hard Drive
500GB Western Digital
Power Supply
EVGA 500B 500W Bronze
Cooling
Corsair H50
Operating System
Windows 7 Ultimate
CPU
AMD Phenom II x4 940
Motherboard
M3A78-EM
RAM
G.skill 2x2GB DDR2-800
RAM
OCZ 2x2GB DDR2-800
Hard Drive
Samsung Spinpoint 40GB
Hard Drive
Western Digital 1TB
Power Supply
Antec Neo ECO 400W
Cooling
Xigmatek Gaia
Case
Rosewill R102-P-BK Black
Operating System
Windows 7 Ultimate 64-bit
▲ hide details ▲


Cyrious is offline  
post #3 of 13 (permalink) Old 10-16-2018, 09:41 AM
Retired Staff
 
JedixJarf's Avatar
 
Join Date: Dec 2010
Location: Coruscant
Posts: 9,373
Rep: 305 (Unique: 244)
Good god this is why you always frontend every web facing portion of a page with a WAF


JedixJarf is online now  
Sponsored Links
Advertisement
 
post #4 of 13 (permalink) Old 10-17-2018, 01:12 PM
Needs more voltage
 
Flames21891's Avatar
 
Join Date: Jul 2008
Location: Lemoore, CA
Posts: 503
Rep: 36 (Unique: 34)
Quote: Originally Posted by JedixJarf View Post
Good god this is why you always frontend every web facing portion of a page with a WAF
Would that really have helped though? You're not really manipulating access to or from a page, you're injecting scripts that run client side. Please correct me if I'm wrong, I only recently got my Security+ cert so all my knowledge is based on the theoretical, haven't had a chance to put it into practice yet.

That said, there definitely should have been content policies to stop cross site scripting, seems really weird that there weren't any.

There are no problems, only solutions I have yet to enunciate.
Flames21891 is offline  
post #5 of 13 (permalink) Old 10-17-2018, 01:17 PM
Retired Staff
 
JedixJarf's Avatar
 
Join Date: Dec 2010
Location: Coruscant
Posts: 9,373
Rep: 305 (Unique: 244)
Quote: Originally Posted by Flames21891 View Post
Would that really have helped though? You're not really manipulating access to or from a page, you're injecting scripts that run client side. Please correct me if I'm wrong, I only recently got my Security+ cert so all my knowledge is based on the theoretical, haven't had a chance to put it into practice yet.

That said, there definitely should have been content policies to stop cross site scripting, seems really weird that there weren't any.
https://aws.amazon.com/about-aws/wha...tch-condition/ Here is some super high level basic info, but it paints the narritive.


JedixJarf is online now  
post #6 of 13 (permalink) Old 10-17-2018, 01:48 PM
Original 16-bit Genesis®
 
Omega X's Avatar
 
Join Date: Mar 2013
Location: That gap between the couch cushion.
Posts: 1,615
Rep: 66 (Unique: 43)
Who are the affected sites other than Yelp, Tinder, Shopify, Western Union and Imgur?
Omega X is offline  
post #7 of 13 (permalink) Old 10-17-2018, 02:38 PM
Retired Staff
 
JedixJarf's Avatar
 
Join Date: Dec 2010
Location: Coruscant
Posts: 9,373
Rep: 305 (Unique: 244)
Quote: Originally Posted by Omega X View Post
Who are the affected sites other than Yelp, Tinder, Shopify, Western Union and Imgur?
Probably any customer of Branch.io?


JedixJarf is online now  
post #8 of 13 (permalink) Old 10-17-2018, 03:01 PM
New to Overclock.net
 
bucdan's Avatar
 
Join Date: Jan 2006
Location: San Diego, CA
Posts: 6,071
Rep: 202 (Unique: 181)
Quote: Originally Posted by JedixJarf View Post
Good god this is why you always frontend every web facing portion of a page with a WAF
I'm surprised a big company like this didn't consider it.

Quote:
Originally Posted by holtzman go_quote.gif
Computer viruses are like herpes. You never think in a million years you'd get one... Till you do.
bucdan is offline  
post #9 of 13 (permalink) Old 10-17-2018, 04:46 PM
New to Overclock.net
 
HITTI's Avatar
 
Join Date: Oct 2014
Posts: 1,361
Rep: 17 (Unique: 17)
Changed pw on imgur.com, one of the best services ever.

Win10 x64 Pro, Acer XB240H, Corsair Obsidian 750D Black,DEMCifilter Corsair Obsidian 750D Dust Filter Kit,Delidded i7-3770K OC'[email protected], F3-12800CL8D-8GBXM, MSI GeForce GTX 960 2GD5, ASRock Z75 Pro3, EVGA SuperNOVA 750 G2 PSU, EK-KIT L240, 2 x NF-A14-FLX Fans, 2 x NF-F12 iPPC 2000, 2 x Samsung 840 Pro 128GB RAID 0 32KB strip, WD Re WD1003FBYZ 1TB,2TB HGST/Hitachi (HUA723020ALA641), Samsung SH-S223L.


HITTI is offline  
post #10 of 13 (permalink) Old 10-17-2018, 07:51 PM
Needs more voltage
 
Flames21891's Avatar
 
Join Date: Jul 2008
Location: Lemoore, CA
Posts: 503
Rep: 36 (Unique: 34)
Quote: Originally Posted by JedixJarf View Post
https://aws.amazon.com/about-aws/wha...tch-condition/ Here is some super high level basic info, but it paints the narritive.
Okay, sorry to bug you guys once more but I'm about to learn something it seems and I just want to make sure I'm getting it right.

So a modern WAF is capable of keeping kind of a fingerprint database of XSS behavior so that it can detect common attack vectors, which you can then configure an ACL to actually handle (allow, deny or log) and the reason we know that one either wasn't being used or was very poorly configured is that this DOM XSS attack isn't a new or particularly special method of XSS and should have easily been picked up or blocked by a decent WAF. That about cover it?

There are no problems, only solutions I have yet to enunciate.
Flames21891 is offline  
Reply

Quick Reply
Message:
Options

Register Now

In order to be able to post messages on the Overclock.net - An Overclocking Community forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.
User Name:
If you do not want to register, fill this field only and the name will be used as user name for your post.
Password
Please enter a password for your user account. Note that passwords are case-sensitive.
Password:
Confirm Password:
Email Address
Please enter a valid email address for yourself.
Email Address:

Log-in



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page


Forum Jump: 

Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off