Recent Branch.io Patch Creates New XSS Flaw
23.10.2018 securityweek
Vulnerebility

The patch for a recently disclosed cross-site scripting (XSS) vulnerability in Branch.io introduced another similar flaw, a security researcher revealed last week.

California-based Branch.io provides customers with solutions that help create deep links for referral systems, invitations, and sharing links for attribution and analytics purposes. The service is used by many popular web platforms, including imgur, Shopify, Tinder and Yelp.

Recently, researchers at vpnMentor discovered a vulnerability in Branch.io that potentially exposed hundreds of millions of users to XSS attacks. The bug has been addressed fast and there was no evidence of malicious exploitation.

Now, Detectify security researcher Linus Särud reveals that the patch actually resulted in another XSS vulnerability. Furthermore, he explains that exploitation of this bug is actually possible using the payload for a flaw he discovered several months ago and which had been previously addressed.

The researcher discovered the initial vulnerability on a page apparently designed to redirect to a mobile app. The vulnerable file would check the redirect parameter against a blacklist and continue with the redirection if not found.

“To exploit this we need to create a link that will execute as Javascript while the protocol of it is not ‘javascript’. As far as I know this should not be possible according to browser specifications,” Särud notes.

After discovering that the blacklist could be bypassed with an empty protocol, he was eventually able to create a working exploit for Safari and then reported the bug to some of the bigger sites that used Branch.io. Apple too was notified of the issue.

Branch.io, which Särud does not name in his blog post and refers to as a “SaaS vendor,” was also alerted and a fix was released, but only a temporary one that actually broke the page the bug was discovered on, the researcher says. Following vpnMentor’s report, however, he discovered that the initial, temporary fix was apparently replaced with a permanent one.

“What makes everything interesting is that the initial payload still worked, even after the vulnerabilities found by vpnMentor had been resolved. The fix for the second vulnerability was still vulnerable to a third vulnerability, using the very same payload as in the first report,” Särud says.

The bug, however, was no longer pure DOM-based XSS (where the payload is executed by modifying the DOM environment in the victim’s browser). The URL parameters were reflected server side, but the attack “more or less still worked in the same way.”

“The solution of fixing the third vulnerability was now to add ‘ ‘ and ‘:’ to the blacklist,” Särud reveals. Because the function needs to support a variety of different custom app protocols, the use of a whitelist instead of a blacklist is likely impossible, although strongly recommended, the researcher concludes.

While Apple was informed on the protocol bug when it was initially discovered, the attack still works in the latest version of Safari, on both macOS and iOS.