Hacker, 22, seeks LTR with important computer data: weaknesses available on popular dating app that is okCupid

Hacker, 22, seeks LTR with important computer data: weaknesses available on popular dating app that is okCupid

No Daters that is actual Harmed This Workout

Analysis by Alon Boxiner, Eran Vaknin

With more than 50 million users since its launch, as well as the bulk aged between 25 and 34, OkCupid the most popular dating platforms globally. Conceived whenever four buddies from Harvard created initial free online dating service, it claims that more than 91 million connections are built it became the first major dating site to create a mobile app through it annually, 50K dates made every week and.

Dating apps enable an appropriate, available and instant experience of other people with the app. By sharing individual choices in every area, and using the app’s algorithm that is sophisticated it gathers users to like-minded individuals who can straight away begin interacting via instant texting.

To generate each one of these connections, OkCupid develops personal pages for many its users, so that it will make the most readily useful match, or matches, according to each user’s valuable private information.

Needless to say, these detail by detail individual pages are not merely of great interest to love that is potential. They’re also extremely prized by code hackers, as they’re the ’gold standard’ of data either to be used in targeted assaults, or even for attempting to sell on with other hacking groups, while they permit assault tries to be very convincing to naive goals.

As our scientists have actually uncovered weaknesses in other popular social networking platforms and apps, we chose to check out the OkCupid software and see when we can find something that matched our passions. And we also discovered things that are several led us as deeper relationship (solely expert, needless to say). OkCupidThe weaknesses we discovered and have now described in this extensive research might have permitted attackers to:

  • Expose users’ sensitive data kept regarding the application.
  • Perform actions with respect to the target.
  • Steals users’ profile and data that are private choices and traits.
  • Steals users’ authentication token, users’ IDs, as well as other painful and sensitive information such as e-mail details.
  • Forward the info collected to the attacker’s host.

Always check Point Research informed OkCupid developers in regards to the weaknesses exposed in this research and an answer had been responsibly implemented to make sure its users can properly keep using the app that is okCupid.

OkCupid added: “Not a solitary individual ended up being influenced by the prospective vulnerability on OkCupid, so we could actually correct it within 48 hours. We’re grateful to lovers like Checkpoint whom with OkCupid, place the security and privacy of y our users first.”

Mobile Phone Platform

We started our research with some reverse engineering the OkCupid Android os Cellphone application (v40.3.1 on Android os 6.0.1). Through the reversing procedure, we unearthed that the application form is opening a WebView (and allows JavaScript to perform within the context regarding the window that is webView and loads remote URLs such as and much more.

Deep links allow attackers’ intents

While reverse engineering the OkCupid application, we discovered it has “deep links” functionality, to be able to invoke intents into the application with a web browser website link.

The intents that the application form listens to would be the schema, customized schema and lots of more schemas:

An attacker can deliver a custom website website waplog profile search link which has the schemas mentioned above. The mobile application will open a webview (browser) window – OkCupid mobile application since the custom link will contain the“section” parameter. Any demand will be delivered using the users’ snacks.

For demonstration purposes, we utilized the link that is following

The application that is mobile a webview ( web web browser) window with JavaScript enabled.

Reflected Scripting that is cross-Site(

As our research proceeded, we now have discovered that OkCupid primary domain, is at risk of an XSS assault.

The injection point associated with the XSS assault had been based in the individual settings functionality.

Retrieving an individual profile settings is created having an HTTP GET demand provided for the following path:

The part parameter is injectable and a hacker could apply it to be able to inject harmful code that is javaScript.

For the intended purpose of demonstration, we now have popped a clear window that is alert. Note: even as we noted above, the mobile application is starting a WebView screen so that the XSS is performed within the context of an authenticated individual utilising the OkCupid application that is mobile.

Leave a comment

Your email address will not be published. Required fields are marked *