Hacker, 22, seeks LTR with your computer data: weaknesses entirely on popular OkCupid relationship application

Hacker, 22, seeks LTR with your computer data: weaknesses entirely on popular OkCupid relationship application

Hacker, 22, seeks LTR with your computer data: weaknesses entirely on popular OkCupid relationship application

No Real Daters Harmed in This Workout

Analysis by Alon Boxiner, Eran Vaknin

With more than 50 million new users since its launch, as well as the bulk aged between 25 and 34, OkCupid the most popular dating platforms globally. Conceived whenever four buddies from Harvard developed initial free online dating service, it claims that more than 91 million connections are produced through it annually, 50K times made every week and it also became the initial major dating website to produce a mobile application.

Dating apps enable a comfy, available and instant experience of other people utilising the software. By sharing individual choices in virtually any area, and using the app’s advanced algorithm, it gathers users to like-minded those who can instantly begin interacting via instant texting.

To produce each one of these connections, OkCupid develops personal pages for several its users, so that it makes the match that is best, or matches, predicated on each user’s valuable private information.

Needless to say, these step-by-step individual profiles are not merely of great interest to love that is potential. They’re also very prized by code hackers, as they’re the ’gold standard’ of data either to be used in targeted assaults, and for offering on with other hacking groups, while they make it possible for assault tries to be very convincing to naive goals.

As our scientists have actually uncovered weaknesses various other popular social media marketing platforms and apps, we chose to research the app that is okCupid see whenever we may find something that matched our passions. And we also discovered a number of things that led us right into much much deeper relationship (solely expert, needless to say). OkCupidThe weaknesses we discovered and have now described in this extensive research might have permitted attackers to:

  • Expose users’ sensitive data kept regarding the application.
  • Perform actions with respect to the target.
  • Steals users’ profile and data that are private choices and faculties.
  • Steals users’ authentication token, users’ IDs, along with other information that is sensitive as e-mail details.
  • Forward the info collected in to the attacker’s host.

Always check Point Research informed OkCupid developers in regards to the vulnerabilities exposed in this research and a remedy what is christian connection had been responsibly implemented to make certain its users can properly keep using the OkCupid software.

OkCupid added: “Not an user that is single influenced by the prospective vulnerability on OkCupid, so we could actually correct it within 48 hours. We’re grateful to lovers like Checkpoint whom with OkCupid, place the privacy and safety of our users first.”

Mobile Platform

We started some reverse engineering to our research the OkCupid Android os mobile phone application (v40.3.1 on Android os 6.0.1). Through the reversing procedure, we found that the application is starting a WebView (and allows JavaScript to perform when you look at the context associated with window that is webView and loads remote URLs such as and much more.

Deep links enable attackers’ intents

While reverse engineering the OkCupid application, we discovered so it has “deep links” functionality, to be able to invoke intents into the software using a web browser website link.

The intents that the application form listens to would be the schema, customized schema and lots of more schemas:

A custom can be sent by an attacker website website website link which has the schemas mentioned above. Because the custom website link will retain the “section” parameter, the mobile application will start a webview (web browser) screen – OkCupid mobile application. Any demand will be delivered aided by the users’ snacks.

For demonstration purposes, we utilized the link that is following

The mobile application starts a webview ( web web browser) window with JavaScript enabled.

Reflected Cross-Site Scripting (XSS)

As our research proceeded, we now have discovered that OkCupid primary domain, is at risk of an XSS assault.

The injection point for the XSS attack ended up being based in the individual settings functionality.

Retrieving an individual profile settings is created making use of an HTTP GET demand provided for the following path:

The part parameter is injectable and a hacker could put it to use so that you can inject harmful JavaScript rule.

For the intended purpose of demonstration, we now have popped a clear window that is alert. Note: even as we noted above, the mobile application is starting a WebView screen therefore the XSS is performed within the context of a authenticated individual utilizing the OkCupid application that is mobile.