DOM-XSS Bug Affecting Tinder, Shopify, Yelp, and More

Discussion in 'other security issues & news' started by mood, Oct 12, 2018.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,753
    DOM-XSS Bug Affecting Tinder, Shopify, Yelp, and More
    October 11, 2018
    https://securityaffairs.co/wordpress/77056/hacking/dom-xss-bug-tinder.html
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,890
    Location:
    The Netherlands
    I didn't fully understand it, is this something that can be tackled by multi-process browsers?
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    9,775
    Location:
    Slovenia
    Info of 685 Million Users at Risk Because of Multiple Branch.io XSS Flaws
    https://news.softpedia.com/news/inf...-of-multiple-branch-io-xss-flaws-523267.shtml
     
  4. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,602
    I don't think process isolation helps, but AFAIK what end user can is not far diff from other basic tactics to fight against (reflective or type-2) XSS. i.e. block untrusted scripts, do not browse while you're logging in but instead use separate browser or separate profiles (or per-tab sandbox), check whether your impo service uses CSP and other security measures (and consider to move to another or close account if their security is poor). The latter is often forgotten security practice I think. Also you can disable some browser function often abused in DOM-based XSS such as IndexedDB but it's not comprehensive as there're too many func susceptible to abuse and will cause trouble.

    I didn't know but in 2012 all sites using jQuery Mobile also suffered by DOM-based XSS vuln. Experts suggest the risk of this is increasing, as (1) more and more sites rely on JS (2) it's more likely to bypass built-in XSS auditor and also hard-to-detect on server, and (3) harder to spot the vuln by traditional scan, despite bad guys can spot.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,890
    Location:
    The Netherlands
    Good tip, but I thought multi process browsers were supposed to protect against this stuff.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.