Shopify: Account takeover intercepting magic link for Arrive app

Summary The "magic link" used for login by Arrive app uses Branch.io to pass the login token via deeplink to the app. But the URL contained in the link app.link domain is not verified so it can be intercepted by a malicious app at takeover the account. Description When trying to login with Arrive...

Branch.io Cross-Site Scripting

A Cross Site Scripting XSS vulnerability exists in Branch.io. Successful exploitation of this vulnerability would allow remote attackers to inject an arbitrary web script into the affected system...