WhatsApp's web client was vulnerable to clickjacking attacks due to missing X-Frame-Options header and iframe busting techniques, allowing attackers to trick users into sending messages, creating groups, or making calls on their behalf. The vulnerability was reported to Facebook in January 2015 and subsequently fixed with an X-Frame-Options: Deny header.
A DOM-based XSS vulnerability was discovered in Branch.io's attribution platform affecting 685+ million users across Tinder, Shopify, Yelp, and other major companies. The flaw exploited unvalidated GET parameters (redirect_strategy and scheme_redirect) to inject malicious payloads, with validation bypasses via indexOf() string matching and javascript:// protocol obfuscation.
Security researcher discovered a reflective XSS vulnerability and open redirect flaw on Indeed's offers.indeed.com subdomain via the 'target' URL parameter in a PDF report functionality. The vulnerability allowed arbitrary JavaScript execution and redirection to external sites, which was patched by Indeed within a week.
Facebook's badges page was vulnerable to stored XSS via an unencoded 'layout' POST parameter that was directly saved to the database and rendered in HTML class attributes, allowing attackers to inject arbitrary HTML/JavaScript and perform actions on behalf of victims.