Hacker, 22, seeks LTR with important computer data: weaknesses available on popular OkCupid relationship application

Hacker, 22, seeks LTR with important computer data: weaknesses available on popular OkCupid relationship application

No Real Daters Harmed in This Workout

Analysis by Alon Boxiner, Eran Vaknin

With more than 50 million users that are registered its launch, therefore the bulk aged between 25 and 34, OkCupid the most popular dating platforms globally. Conceived whenever four buddies from Harvard created the initial free online dating service, it claims that more than 91 million connections were created it became the first major dating site to create a mobile app through it annually, 50K dates made every week and.

Dating apps enable a comfy, accessible and connection that is immediate other people with the software. By sharing individual choices in just about any area, and using the app’s advanced algorithm, it gathers users to like-minded individuals who can instantly start interacting via instant texting.

To produce each one of these connections, OkCupid develops personal pages for several its users, so that it will make the most useful match, or matches, predicated on each user’s valuable private information.

Of course, these step-by-step individual pages are not merely of great interest to possible love matches. They’re also extremely prized by code hackers, as they’re the ’gold standard’ of information either for usage in targeted assaults, or even for attempting to sell on with other hacking groups, while they allow assault tries to be extremely convincing to naive goals.

As our scientists have actually uncovered weaknesses various other popular social media marketing platforms and apps, we made a decision to check out the app that is okCupid see when we may find something that matched our passions. Therefore we found things that are several led us right into much deeper relationship (solely expert, needless to say). OkCupidThe weaknesses we discovered and also have described in this extensive research might have permitted attackers to:

  • Expose users’ sensitive data saved regarding the application.
  • Perform actions with respect to the target.
  • Steals users’ profile and personal data, choices and traits.
  • Steals users’ authentication token, users’ IDs, along with other delicate information such as e-mail details.
  • Forward the info collected in to the attacker’s host.

Always check Point Research informed OkCupid developers in regards to the weaknesses exposed in this research and a remedy ended up being responsibly implemented to make certain its users can properly keep using the app that is okCupid.

OkCupid added: “Not an user that is single influenced by the possibility vulnerability on OkCupid, and now we had the ability to repair it within 48 hours. We’re grateful to lovers like Checkpoint whom with OkCupid, place the security and privacy of our users first.”

Mobile Phone Platform

We started some reverse engineering to our research the OkCupid Android os mobile phone application (v40.3.1 on Android os 6.0.1). Throughout the reversing procedure, we found that the applying is starting a WebView (and allows JavaScript to perform into the context associated with WebView screen) and loads remote URLs such as and much more.

Deep links help attackers’ intents

While reverse engineering the OkCupid application, we discovered so it has “deep links” functionality, to be able to invoke intents when you look at the software with a web browser website link.

The intents that the application form listens to would be the schema, custom schema and lots of more schemas:

A custom can be sent by an attacker website website website link which contains the schemas mentioned above. Considering that the customized website link will support the “section” parameter, the mobile application will start a webview (web browser) screen – OkCupid mobile application. Any demand will be sent using the users’ snacks.

For demonstration purposes, we utilized the link that is following

The application that is mobile a webview ( web web browser) window with JavaScript enabled.

Reflected Cross-Site Scripting (XSS)

As our research proceeded, we now have discovered that OkCupid primary domain, is at risk of an XSS assault.

The injection point associated with XSS assault ended up being based in the individual settings functionality.

Retrieving the consumer profile settings is manufactured having an HTTP GET demand provided for the path that is following

The part parameter lavalife com is injectable and a hacker could put it to use so that you can inject harmful JavaScript rule.

For the true purpose of demonstration, we now have popped a clear window that is alert. Note: even as we noted above, the mobile application is starting a WebView screen therefore the XSS is performed within the context of an authenticated individual utilising the OkCupid application that is mobile.

Leave a Reply

Your email address will not be published. Required fields are marked *