A Note on Patching Branch Links to Fix a XSS Bug

By October 17, 2018 3 Comments

To set the stage for this post, I first want to provide some background on security at Branch. We provide an enterprise-grade service that over 50,000 apps (including those for many Fortune 100 companies) rely on to power tens of billions of user interactions every day. We continuously evaluate our security practices through internal and external audits, as well as external penetration testing. Every member of the Branch team, including myself, is personally committed to ensuring that Branch leads the industry with security practices, tooling, and auditing.

Through our responsible disclosure program, an external security researcher alerted us to a potential bug in our linking platform on October 1st, 2018. In theory, a bad actor could exploit the bug to modify Branch links, and then manipulate end users into clicking a modified link via a phishing scheme, leading to a cross-site scripting (XSS) bug for users who clicked on a maliciously-modified link. We deployed a fix to patch the reported bug on October 5th, and continue to perform a security evaluation to ensure thoroughness.

While any Branch link could have been maliciously changed, we believe the only noteworthy risk would have been to the very limited number of Branch customers who use a subdomain of their main website domain for their Branch links: in theory, an XSS attack could have allowed a bad actor to observe the values of cookies stored on the root domain.

We have conducted a thorough analysis of Branch logs for evidence of any suspicious activity, and have uncovered no evidence that the bug was exploited, or that any end user interacted with a maliciously-modified link. In addition, we recently launched a multi-week Security Penetration Test with an industry-leading third-party vendor to ensure the security and integrity of the Branch platform.

Our team continues to work around the clock to ensure that Branch links are safe and secure. I want to reassure all of our customers that no action is needed from any customer using Branch as a result of this XSS bug. As always, we welcome submissions to our responsible disclosure program powered by Bugcrowd.




Branch is a mobile linking platform providing unified mobile experiences and measurement for more than 50,000 mobile apps, including Airbnb, Ticketmaster, Reddit, Tinder and Amazon. Branch’s linking platform can help you grow your mobile app through features like deep linking, sharing, referrals, mobile banners and interstitials, custom app onboarding, and unified attribution across platforms and channels. Learn more about Branch or request a demo today.
  • Luka Malding

    This is probably following the publication of the report on vpnmentor site on the volunerability. Well done for fixings this. I suggest googleing “vpnmentor branch” to see the report

  • David Katz

    DOM-XSS vulnerability allows a client side attack. Of course Branch couldn’t find evidence in their servers that the vulnerability was exploited. This is why the researches found the issue strongly recommended to change the passwords of the sites that using Branch. Thanks for the update.

    • Alex Bauer

      Hi @disqus_NZgzmhgxkW:disqus, thanks for the note.

      You’re correct about how XSS exploits are executed, on the client side, in browser. In this case, the specific vulnerability manifested when a malicious / malformed HTTP request made it to our servers, and we returned a response payload which was susceptible to potential XSS. These prepared / malicious requests had a very distinct signature, which we were able to detect clearly in our request logs. During our log analysis, the only matching signatures found were from the initial security researcher when discovering and documenting the vulnerability, and our own team while testing and remediating. We found no evidence of any end users being impacted by this issue, and as described in this post, we swiftly remediated the issue upon it being brought to our attention.

Request Demo Create Links