Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Recent Patch Creates New XSS Flaw

The patch for a recently disclosed cross-site scripting (XSS) vulnerability in introduced another similar flaw, a security researcher revealed last week.

The patch for a recently disclosed cross-site scripting (XSS) vulnerability in introduced another similar flaw, a security researcher revealed last week.

California-based provides customers with solutions that help create deep links for referral systems, invitations, and sharing links for attribution and analytics purposes. The service is used by many popular web platforms, including imgur, Shopify, Tinder and Yelp.

Recently, researchers at vpnMentor discovered a vulnerability in that potentially exposed hundreds of millions of users to XSS attacks. The bug has been addressed fast and there was no evidence of malicious exploitation.

Now, Detectify security researcher Linus Särud reveals that the patch actually resulted in another XSS vulnerability. Furthermore, he explains that exploitation of this bug is actually possible using the payload for a flaw he discovered several months ago and which had been previously addressed.

The researcher discovered the initial vulnerability on a page apparently designed to redirect to a mobile app. The vulnerable file would check the redirect parameter against a blacklist and continue with the redirection if not found.

“To exploit this we need to create a link that will execute as Javascript while the protocol of it is not ‘javascript’. As far as I know this should not be possible according to browser specifications,” Särud notes.

After discovering that the blacklist could be bypassed with an empty protocol, he was eventually able to create a working exploit for Safari and then reported the bug to some of the bigger sites that used Apple too was notified of the issue.

Advertisement. Scroll to continue reading., which Särud does not name in his blog post and refers to as a “SaaS vendor,” was also alerted and a fix was released, but only a temporary one that actually broke the page the bug was discovered on, the researcher says. Following vpnMentor’s report, however, he discovered that the initial, temporary fix was apparently replaced with a permanent one.

“What makes everything interesting is that the initial payload still worked, even after the vulnerabilities found by vpnMentor had been resolved. The fix for the second vulnerability was still vulnerable to a third vulnerability, using the very same payload as in the first report,” Särud says.

The bug, however, was no longer pure DOM-based XSS (where the payload is executed by modifying the DOM environment in the victim’s browser). The URL parameters were reflected server side, but the attack “more or less still worked in the same way.”

“The solution of fixing the third vulnerability was now to add ‘ ‘ and ‘:’ to the blacklist,” Särud reveals. Because the function needs to support a variety of different custom app protocols, the use of a whitelist instead of a blacklist is likely impossible, although strongly recommended, the researcher concludes.

While Apple was informed on the protocol bug when it was initially discovered, the attack still works in the latest version of Safari, on both macOS and iOS.

Related: Flaws Exposed Tinder, Shopify, Yelp Users to XSS Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.