The Branch Web SDK for deep linking and attribution. Once initialized, the Branch Web SDK allows you to create and share links with a banner (web only), over SMS, or your own methods by generating deep links. It also offers event tracking, access to referrals, and management of credits.
According to the documentation the only way to use the Web SDK is to call init and pass the Branch key when doing the call. Doing that makes the key accessible by the web clients. And since I could not find any other validation - like white-listing the domains or anything else - one could easily take the key and at least:
1) use $desktop_url when creating a link with .link (I tried that) or any other $xxx_url to navigate to his/her or any random site.
2) And if this is not very worthy, he/she could just generate a lot of MAUs and bump the key owner's bill.
I just started looking at the Branch service yesterday so probably I am missing something? However the first use case can be easily tried with the key from your sample app on https://cdn.branch.io/
Walidhossain010
commented
3 years ago
According to the documentation the only way to use the Web SDK is to call
initand pass the Branch key when doing the call. Doing that makes the key accessible by the web clients. And since I could not find any other validation - like white-listing the domains or anything else - one could easily take the key and at least: 1) use$desktop_urlwhen creating a link with.link(I tried that) or any other$xxx_urlto navigate to his/her or any random site. 2) And if this is not very worthy, he/she could just generate a lot of MAUs and bump the key owner's bill.I just started looking at the Branch service yesterday so probably I am missing something? However the first use case can be easily tried with the key from your sample app on https://cdn.branch.io/