A Note on Patching Branch Links to Fix a XSS Bug

Alex Austin

Oct 17, 2018


To set the stage for this post, I first want to provide some background on security at Branch. We provide an enterprise-grade service that over 50,000 apps (including those for many Fortune 100 companies) rely on to power tens of billions of user interactions every day. We continuously evaluate our security practices through internal and external audits, as well as external penetration testing. Every member of the Branch team, including myself, is personally committed to ensuring that Branch leads the industry with security practices, tooling, and auditing.

Through our responsible disclosure program, an external security researcher alerted us to a potential bug in our linking platform on October 1st, 2018. In theory, a bad actor could exploit the bug to modify Branch links, and then manipulate end users into clicking a modified link via a phishing scheme, leading to a cross-site scripting (XSS) bug for users who clicked on a maliciously-modified link. We deployed a fix to patch the reported bug on October 5th, and continue to perform a security evaluation to ensure thoroughness.

While any Branch link could have been maliciously changed, we believe the only noteworthy risk would have been to the very limited number of Branch customers who use a subdomain of their main website domain for their Branch links: in theory, an XSS attack could have allowed a bad actor to observe the values of cookies stored on the root domain.

We have conducted a thorough analysis of Branch logs for evidence of any suspicious activity, and have uncovered no evidence that the bug was exploited, or that any end user interacted with a maliciously-modified link. In addition, we recently launched a multi-week Security Penetration Test with an industry-leading third-party vendor to ensure the security and integrity of the Branch platform.

Our team continues to work around the clock to ensure that Branch links are safe and secure. I want to reassure all of our customers that no action is needed from any customer using Branch as a result of this XSS bug. As always, we welcome submissions to our responsible disclosure program powered by Bugcrowd.




Branch provides the industry's leading mobile linking and measurement platforms, offering solutions that unify user experience and attribution across devices and channels. Branch has been selected by over 100,000 apps since 2014 including Adobe, BuzzFeed, Yelp, and many more, improving experiences for more than 3 billion monthly users across the globe. Learn more about Branch or contact sales today.


Get the latest mobile knowledge

To help you fuel cross-channel and cross-platform mobile growth, our team works hard to deliver the most current, relevant resources.

You are subscribed! 🚀