OkCupid Dating App Flaws Could’ve Let Hackers Read Your Private Messages

okcupid messages hackedokcupid messages hacked

Cybersecurity researchers today disclosed several security
issues in popular online dating platform OkCupid that could
potentially let attackers remotely spy on users’ private
information or perform malicious actions on behalf of the targeted
accounts.

According to a report shared with The Hacker News, researchers
from Check
Point
[1] found that the flaws in
OkCupid’s Android and web applications could allow the theft of
users’ authentication tokens, users IDs, and other sensitive
information such as email addresses, preferences, sexual
orientation, and other private data.

After Check Point researchers responsibly shared their findings
with OkCupid, the Match Group-owned company fixed the issues,
stating, “not a single user was impacted by the potential
vulnerability.”

The Chain of Flaws

The flaws were identified as part of reverse engineering of
OkCupid’s Android app version 40.3.1, which was released on April
29 earlier this year. Since then, there have been 15
updates to the app
with the most recent version (43.3.2)
hitting Google Play Store yesterday.
Check Point said OkCupid’s use of deep
links
could enable a bad actor to send a custom link defined in
the app’s manifest file to open a browser window with JavaScript
enabled. Any such request was found to return the users’
cookies.

hacking okcupid accounthacking okcupid account

The researchers also uncovered a separate flaw in OkCupid’s
settings functionality that makes it vulnerable to an XSS attack by
injecting malicious JavaScript code using the “section” parameter
as follows: “https://www.okcupid.com/settings?section=value”

The aforementioned XSS attack can be augmented further by
loading a JavaScript payload from an attacker-controlled server to
steal authentication tokens, profile information, and user
preferences, and transmit the amassed data back to the
server.

“Users’ cookies are sent to the [OkCupid] server since the XSS
payload is executed in the context of the application’s WebView,”
the researchers said, outlining their method to capture the token
information. “The server responds with a vast JSON containing the
users’ id and the authentication token.”

Once in possession of the user ID and the token, an adversary
can send a request to the “https://www.OkCupid.com:443/graphql”
endpoint to fetch all the information associated with the victim’s
profile (email address, sexual orientation, height, family status,
and other personal preferences) as well as carry out actions on
behalf of the compromised individual, such as send messages and
change profile data.

However, a full account hijack is not possible as the cookies are
protected with HTTPOnly, mitigating the
risk of a client-side script accessing the protected cookie.

Lastly, an oversight in the Cross-Origin Resource Sharing
(CORS[5]) policy of the API
server could have permitted an attacker to craft requests from any
origin (e.g. “https://okcupidmeethehacker.com”) in order to get
hold of the user ID and authentication token, and subsequently, use
that information to extract profile details and messages using the
API’s “profile” and “messages” endpoints.

Remember Ashley Madison Breach and Blackmail Threats?

Although the vulnerabilities were not exploited in the wild, the
episode is yet another reminder of how bad actors could have taken
advantage of the flaws to threaten victims with black and
extortion.

hacking okcupid accounthacking okcupid account

After Ashley Madison, an adult dating service catering to married
individuals seeking partners for affairs was hacked
in 2015
and information about its 32 million users was posted
to the dark web
, it led to a rise in phishing and sextortion campaigns, with blackmailers
reportedly sending personalized emails to the users, threatening to
reveal their membership to friends and family unless they pay
money.

“The dire need for privacy and data security becomes far more
crucial when so much private and intimate information is being
stored, managed and analyzed in an app,” the researchers concluded.
“The app and platform was created to bring people together, but of
course where people go, criminals will follow, looking for easy
pickings.”

[2][3][4][6][7][8]

References

  1. ^
    Check Point
    (research.checkpoint.com)
  2. ^
    15 updates to the app
    (www.appbrain.com)
  3. ^
    deep links
    (developer.android.com)
  4. ^
    HTTPOnl
    (owasp.org)
  5. ^
    CORS
    (developer.mozilla.org)
  6. ^
    hacked in 2015
    (thehackernews.com)
  7. ^
    posted to the dark web
    (thehackernews.com)
  8. ^
    sextortion campaigns
    (www.vadesecure.com)

Read more

Leave a Reply