Security issues found in online dating platform can allow attackers to remotely spy or gather private information
OkCupid security holes reveal that hackers have found a way to get to private information of users.[1] Popular application can be used to spy on users directly or perform other malicious actions on targeted accounts.[2] The report from Check Point[3] researchers, shows that flaws in Android and web applications can lead to the theft of authentication tokens, user IDs, sensitive and personal information like email addresses, sexual orientation, private data from API server.
Researchers themselves state that actual customers have not suffered losses and OkCupid officials ensured:
Not a single user was impacted by the potential vulnerability on OkCupid, and we were able to fix it within 48 hours. We’re grateful to partners like Checkpoint who with OkCupid, put the safety and privacy of our users first.
The platform has over 50 million registered users and OkCupid is one of the most popular online dating options. Created back in 2004, the platform claims to make more than 91 million connections annually. Although dating online creates an accessible and comfortable connection with others using the app, personal information sharing is not a risk-free behavior.
Multiple flaws uncovered
The first flaws were identified as a part of the reverse engineering of the OkCupid Android app. Since then the application received at least 15 updates. The most recent 43.3.2 version was released to Google Play Store a few days back.
The research team stated that the application uses deep links that can be used by the bad actor. An attacker can enable the function of sending a custom link defined in the applications, manifest file. This is how the browser window gets opened with enabled JavaScript, for example.
The separate flaw was discovered in OkCupid’s functionality that makes it vulnerable to the XSS attack.[4] Malicious JavaScript code can get injected using the section parameter. This method can be altered to load additional payload from the C&C server to steal authentication tokens, profile details, transfer this information back to the attackers’ server.
Another flaw in this application was spotted. The oversight in the cross-origin resource sharing policy of the API server. This flaw can be used to gain permission to draft requests from any origin to get those user IDs and tokens. Further attacks can lead to data gathering from the profile API endpoint.
User IDs and personal information in bad hands lead to serious issues
If the attackers manage to get access to user IDs, tokens, other personal details there is an opportunity that hackers can send requests to the endpoint and fetch every detail associated with the particular profile. Those details include email address, sexual orientation, family status, height, other preferences.
From this point, the attacker can also carry out various actions on behalf of the compromised individual account. Messages for other customers can be sent or profile data changed. Full account hijack is not possible due to the cookies that are protected by HTTPOnly.
Personal data is the biggest issue here. Even though details that users provide on the dating app are sensitive, the more crucial issue stems from the fact that harvested information can be used in other attack attempts and in social engineering campaigns that possibly lead to damaging consequences.[5]