Attackers could exploit many flaws in OkCupid’s cell app and webpage to steal victims’ delicate details and even deliver messages out from their profiles.
Scientists have found out a slew of issues in the well-known OkCupid courting application, which could have permitted attackers to obtain users’ sensitive dating facts, manipulate their profile facts or even ship messages from their profile.
OkCupid is a person of the most common courting platforms throughout the world, with more than 50 million registered consumers, typically aged concerning 25 and 34. Scientists discovered flaws in both of those the Android mobile software and webpage of the support. These flaws could have likely disclosed a user’s total profile aspects, non-public messages, sexual orientation, individual addresses and all submitted responses to OKCupid’s profiling issues, they said.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The flaws are fixed, but “our analysis into OKCupid, which is a person of the longest-standing and most well known apps in their sector, has led us to elevate some serious questions over the security of dating apps,” said Oded Vanunu, head of items vulnerability investigation at Verify Point Exploration, on Wednesday. “The basic questions being: How harmless are my intimate particulars on the application? How conveniently can anyone I really do not know entry my most private images, messages and information? We’ve uncovered that dating apps can be far from safe.”
Check Issue researchers disclosed their results to OKCupid, after which OkCupid acknowledged the issues and mounted the security flaws in their servers.
“Not a one person was impacted by the probable vulnerability on OkCupid, and we have been able to fix it in just 48 hrs,” stated OkCupid in a statement. “We’re grateful to partners like Test Point who with OkCupid, put the basic safety and privateness of our customers initially.”
The Flaws
To carry out the attack, a danger actor would require to persuade OkCupid consumers to click on a single, destructive backlink in get to then execute destructive code into the web and cellular webpages. An attacker could possibly ship the url to the target (both on OkCupid’s own system, or on social media), or publish it in a general public discussion board. The moment the target clicks on the destructive backlink, the information is then exfiltrated.
The rationale this operates is because the key OkCupid area (https://www.OkCupid.com) was vulnerable to a cross-web page scripting (XSS) attack. On reverse-engineering the OkCupid Android Cell application (v40.3.1 on Android 6..1), scientists discovered the app listens to “intents” that observe tailor made schemas (these kinds of as the “OkCupid://” custom schema) by means of a browser link. Researchers had been in a position to inject malicious JavaScript code into the “section” parameter of the consumer profile settings in the configurations performance (https://www.OkCupid.com/settings?area=
Attackers could use a XSS payload that masses a script file from an attacker controlled server, with JavaScript that can be made use of for facts exfiltration. This could be used to steal users’ authentication tokens, account IDs, cookies, as properly as delicate account information like email addresses. It could also steal users’ profile information, as very well as their personal messages with many others.
Then, working with the authorization token and consumer ID, an attacker could execute steps these types of as transforming profile knowledge and sending messages from users’ profile account: “The attack eventually allows an attacker to masquerade as a target person, to have out any steps that the consumer is ready to accomplish, and to obtain any of the user’s data,” according to researchers.
Courting Applications Below Scrutiny
It’s not the initially time the OkCupid system has experienced security flaws. In 2019, a critical flaw was found in the OkCupid application that could allow a lousy actor to steal credentials, launch guy-in-the-middle assaults or absolutely compromise the victim’s application. Individually, OKCupid denied a details breach right after reports surfaced of buyers complaining that their accounts have been hacked. Other dating applications – such as Espresso Meets Bagel, MobiFriends and Grindr – have all had their share of privateness issues, and a lot of notoriously acquire and reserve the proper to share info.
In June 2019, an investigation from ProPrivacy observed that dating apps including Match and Tinder collect all the things from chat content to economical details on their people — and then they share it. Their privacy policies also reserve the suitable to specifically share own facts with advertisers and other commercial organization companions. The trouble is that users are often unaware of these privacy tactics.
“Every maker and consumer of a courting application must pause for a instant to reflect on what extra can be completed close to security, particularly as we enter what could be an imminent cyber pandemic,” Check Point’s Vanunu claimed. “Applications with sensitive private facts, like a relationship app, have tested to be targets of hackers, consequently the critical worth of securing them.”