Morioh
Login
Shawn Durgan

Shawn Durgan

3 years ago

Attackers could have exploited various flaws in OkCupid’s mobile app and webpage to steal victims’ sensitive data and even send messages out from their profiles.

Researchers have discovered a slew of issues in the popular OkCupid dating app, which could have allowed attackers to collect users’ sensitive dating information, manipulate their profile data or even send messages from their profile.

OkCupid is one of the most popular dating platforms worldwide, with more than 50 million registered users, mostly aged between 25 and 34. Researchers found flaws in both the Android mobile application and webpage of the service. These flaws could have potentially revealed a user’s full profile details, private messages, sexual orientation, personal addresses and all submitted answers to OKCupid’s profiling questions, they said.

The flaws are fixed, but “our research into OKCupid, which is one of the longest-standing and most popular applications in their sector, has led us to raise some serious questions over the security of dating apps,” said Oded Vanunu, head of products vulnerability research at Check Point Research, on Wednesday. “The fundamental questions being: How safe are my intimate details on the application? How easily can someone I don’t know access my most private photos, messages and details? We’ve learned that dating apps can be far from safe.”

Check Point researchers disclosed their findings to OKCupid, after which OkCupid acknowledged the issues and fixed the security flaws in their servers.

“Not a single user was impacted by the potential vulnerability on OkCupid, and we were able to fix it within 48 hours,” said OkCupid in a statement. “We’re grateful to partners like Check Point who with OkCupid, put the safety and privacy of our users first.”

The Flaws

To carry out the attack, a threat actor would need to convince OkCupid users to click on a single, malicious link in order to then execute malicious code into the web and mobile pages. An attacker could either send the link to the victim (either on OkCupid’s own platform, or on social media), or publish it in a public forum. Once the victim clicks on the malicious link, the data is then exfiltrated.

The reason this works is because the main OkCupid domain (https://www.OkCupid.com) was vulnerable to a cross-site scripting (XSS) attack. Upon reverse-engineering the OkCupid Android Mobile application (v40.3.1 on Android 6.0.1), researchers found the app listens to “intents” that follow custom schemas (such as the “OkCupid://” custom schema) via a browser link. Researchers were able to inject malicious JavaScript code into the “section” parameter of the user profile settings in the settings functionality (https://www.OkCupid.com/settings?section=).

Attackers could use a XSS payload that loads a script file from an attacker controlled server, with JavaScript that can be used for data exfiltration. This could be utilized to steal users’ authentication tokens, account IDs, cookies, as well as sensitive account data like email addresses. It could also steal users’ profile data, as well as their private messages with others.

#vulnerabilities #web security #cross origin resource sharing #dating app #hack #malicious code #mobile app flaw #okcupid #okcupid security #security flaw #vulnerability

OkCupid Security Flaw Threatens Intimate Dater Details

threatpost.com

OkCupid Security Flaw Threatens Intimate Dater Details

Attackers could have exploited various flaws in OkCupid's mobile app and webpage to steal victims' sensitive data and even send messages out from their profiles.

1.05 GEEK