A Note on Patching Branch Links to Fix a XSS Bug

To set the stage for this post, I first want to provide some background on security at Branch. We provide an enterprise-grade service that over 50,000 apps (including those for many Fortune 100 companies) rely on to power tens of billions of user interactions every day. We continuously evaluate our security practices through internal and external audits, as well as external penetration testing. Every member of the Branch team, including myself, is personally committed to ensuring that Branch leads the industry with security practices, tooling, and auditing.

Through our responsible disclosure program, an external security researcher alerted us to a potential bug in our linking platform on October 1st, 2018. In theory, a bad actor could exploit the bug to modify Branch links, and then manipulate end users into clicking a modified link via a phishing scheme, leading to a cross-site scripting (XSS) bug for users who clicked on a maliciously-modified link. We deployed a fix to patch the reported bug on October 5th, and continue to perform a security evaluation to ensure thoroughness.

While any Branch link could have been maliciously changed, we believe the only noteworthy risk would have been to the very limited number of Branch customers who use a subdomain of their main website domain for their Branch links: in theory, an XSS attack could have allowed a bad actor to observe the values of cookies stored on the root domain.

We have conducted a thorough analysis of Branch logs for evidence of any suspicious activity, and have uncovered no evidence that the bug was exploited, or that any end user interacted with a maliciously-modified link. In addition, we recently launched a multi-week Security Penetration Test with an industry-leading third-party vendor to ensure the security and integrity of the Branch platform.

Our team continues to work around the clock to ensure that Branch links are safe and secure. I want to reassure all of our customers that no action is needed from any customer using Branch as a result of this XSS bug. As always, we welcome submissions to our responsible disclosure program powered by Bugcrowd.