Researchers at vpnMentor were analysing Tinder and other dating applications when they discovered a Tinder domain, go.tinder.com, that had multiple XSS vulnerabilities. According to vpnMentor, the flaws could have been exploited to access Tinder users’ profiles. Following vpnMentor’s research please see below for commentary and insight from Rusty Carter, VP of Product Management at Arxan.
Rusty Carter, VP of Product Management at Arxan:
“The DOM-XSS vulnerabilities found in Tinder, Shopify, Yelp, Western Union, and Imgur, and the data exposure risks created by them, exemplifies the risks that consumers are exposed to in browser-based applications.
Over the past weeks we have seen massive impacts to sensitive and personal data exposure resulting from DOM manipulation and behaviour modification that is possibly due to the nature of browser-applications being streamed and assembled at run time in a consumer’s browser. From malicious browser plugins to Magecart, the browser poses a significant attack vector that is resulting in consumer loss, and the erosion of trust in businesses. With Magecart, one breach of an international airline alone, saw the exposure of the financial data for 350,000 individuals. With the discovery of the DOM-XSS vulnerabilities, we see the risk already of 685 million individuals personal and private data potentially being exposed or at least at risk. Photos, ecommerce, money transfers, and even very private information about dating was at risk due to the vulnerabilities found.
Consumers’ data is being exposed from applications at an alarming rate, and the rise in visibility of browser-app vulnerabilities underscores the need for businesses to focus their attention on securing the browser-applications as they run on end-consumer devices. What is a stark reality in these latest vulnerabilities and attacks is that network infrastructure does not address these issues. WAF, NGFW, IPS and other network-based security systems are critical to a business’s overall security posture, but they are not addressing the massive vulnerabilities at the endpoint.
In order to maintain the trust of consumers, businesses need to look at securing the DOM of their application – as it’s effectively the blueprint for what and how an application is assembled and run in the browser. Being able to detect anomalous changes and respond rapidly is critical to maintaining the security of data flowing to/from consumers via their browser, and ultimately maintaining trust and overall reputation.
Consumers will increasingly change their behaviour by voting with their fingers and eyeballs and avoiding businesses that put them at risk online. While the immediate and direct financial impact cannot be overlooked, businesses should be keenly focused on the long-term health of their business that relies most heavily on the level of trust consumers have to view and provide data to them online.”