Our videos have over 5 million views on Youtube! Visit our channel now »
The listings featured on this site are from companies from which this site receives compensation. Read the Advertising Disclosure for more information
Professional Reviews

vpnMentor contains reviews that are written by our community reviewers, and are based on the reviewers' independent and professional examination of the products/services.


vpnMentor is owned by Kape Technologies PLC, which owns the following products: ExpressVPN, CyberGhost, ZenMate, Private Internet Access, and Intego, which may be reviewed on this website.

Affiliate Commissions Advertising

vpnMentor contains reviews that were written by our experts and follow the strict reviewing standards, including ethical standards, that we have adopted. Such standards require that each review will be based on an independent, honest and professional examination of the reviewer. That being said, we may earn a commission when a user completes an action using our links, which will however not affect the review but might affect the rankings. The latter are determined on the basis of customer satisfaction of previous sales and compensation received.

Reviews Guidelines

The reviews published on vpnMentor are written by experts that examine the products according to our strict reviewing standards. Such standards ensure that each review is based on the independent, professional and honest examination of the reviewer, and takes into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings we publish may take into consideration the affiliate commissions we earn for purchases through links on our website.

DOM-XSS Bug Affecting Tinder, Shopify, Yelp, and More

Our team of security researchers was researching dating apps client-side security, and one of the main focus targets was Tinder.

After initial reconnaissance steps were done, a Tinder domain with multiple client-side security issues was found - meaning hackers could have access to users' profiles and details.

Immediately after finding these vulnerabilities, we contacted Tinder via their responsible disclosure program and started working with them.

We learned that the vulnerable endpoint isn’t owned by Tinder, but by branch.io, an attribution platform used by many big corporations around the globe. The Tinder security team helped us get in touch with them, and accordingly, they’ve put out a timely patch.

Digging deeper, we found out many big websites were sharing the vulnerable endpoint in their code and domains, including Shopify, Yelp, Western Union, and Imgur. This means that as many as 685 million users could be at risk.

While the flaw has already been fixed, if you have recently used Tinder or any of the other affected sites, we recommend checking to make sure your account hasn't been compromised. It's a good idea to change your password ASAP.


DOM-based XSS vulnerability, also known as “type-0 XSS” is a class of cross-site scripting vulnerability that appears within the DOM. It is a type of attack wherein the attack payload is executed as a result of modifying the DOM environment in the victim’s browser, more so in a dynamic environment. In DOM-based XSS, the HTML source code and response of the attack will be exactly the same. This means the malicious payload cannot be found in the response, making it extremely difficult for browser-built in XSS mitigation features like Chrome’s XSS Auditor to perform.

Can you spot the vulnerabilities?

HTML code

The fact that the vulnerability is DPM based and branch.io still isn't using CSP made these vulnerabilities easy to exploit in any browser we like.

This meant that by modifying redirect strategy to a specially crafted payload to manipulate the DOM.


For example, our initial finding was the endpoint https://go.tinder.com/amp-iframe-redirect was prone to multiple vulnerabilities (scheme_redirect & redirect_strategy GET parameters control the div content).

redirect_strategy is “INJECTIONA” and scheme_redirect is “INJECTIONB” from the code above.

This meant that by modifying redirect_strategy to a dom-xss payload, it was possible to execute client-side code in the context of a Tinder domain in any browser:
will render in the DOM as:

if (1){ alert(1);// && "INJECTIONA") {

var parser = document.createElement('a');

parser.href = "INJECTIONA";

var protocol = parser.protocol.toLowerCase();

Bug screenshot

2. validateProtocol() and validate() Bypass

Also notice how validateProtocol() uses indexOf to check the schemes - the indexOf() method returns the position of the first occurrence of a specified value in a string. This method returns -1 if the value to search for never occurs. However, it can be tricked by using javascript://%0aalert(0)//good.com/https:// -- both the validate functions can be bypassed because indexOf will find “https://“

var parser = document.createElement('a');

parser.href = url;

var protocol = parser.protocol.toLowerCase();

if ((‘javascript:', 'vbscript:', ‘data:').indexOf(protocol) < 0) {return url;



return null;

if (['http:', 'https:'].indexOf(protocol) < 0) {

window.top.location = validate("http://google.com");


So, how did this bug affect more than Tinder?

go.tinder.com is an alias for custom.bnc.lt, a Branch.io resource. And many other companies have their alias pointing to it.

To name a few websites affected by this vulnerability: RobinHood, Shopify, Canva, Yelp, Western Union, Letgo, Cuvva, imgur, Lookout, fair.com and more.

Thanks to the fast response we got from Branch’s security team, this vulnerability has now been fixed for everyone’s domains.

Other recent studies of ours:

Critical RCE Vulnerability Found in Over a Million GPON Home Routers

About the Author

Kristina is an experienced tech writer and researcher with a keen interest in cybersecurity for businesses and the general public.

Did you like this article? Rate it!
I hated it! I don't really like it It was ok Pretty good! Loved it!
out of 10 - Voted by users
Thank you for your feedback
Comment Comment must be from 5 to 2500 characters long.