Cybersecurity scientists today disclosed many security problems in well-liked online dating platform OkCupid that could probably let attackers remotely spy on users’ private information or perform malicious steps on behalf of the specific accounts.
According to a report shared with The Hacker Information, scientists from Test Stage observed that the flaws in OkCupid’s Android and net programs could let the theft of users’ authentication tokens, consumers IDs, and other delicate info these as email addresses, preferences, sexual orientation, and other non-public facts.
Following Check Point researchers responsibly shared their findings with OkCupid, the Match Group-owned corporation mounted the concerns, stating, “not a one consumer was impacted by the likely vulnerability.”
The Chain of Flaws
The flaws have been identified as section of reverse engineering of OkCupid’s Android app variation 40.3.1, which was unveiled on April 29 previously this 12 months. Since then, there have been 15 updates to the app with the most recent model (43.3.2) hitting Google Engage in Retailer yesterday.
“Users’ cookies are despatched to the [OkCupid] server considering that the XSS payload is executed in the context of the application’s WebView,” the researchers reported, outlining their strategy to seize the token facts. “The server responds with a huge JSON that contains the users’ id and the authentication token.”
Once in possession of the consumer ID and the token, an adversary can ship a request to the “https://www.OkCupid.com:443/graphql” endpoint to fetch all the data involved with the victim’s profile (electronic mail address, sexual orientation, height, loved ones status, and other personal tastes) as well as have out steps on behalf of the compromised specific, this kind of as deliver messages and transform profile data.
Even so, a complete account hijack is not doable as the cookies are shielded with HTTPOnly, mitigating the danger of a client-aspect script accessing the protected cookie.
And finally, an oversight in the Cross-Origin Resource Sharing (CORS) policy of the API server could have permitted an attacker to craft requests from any origin (e.g. “https://okcupidmeethehacker.com”) in order to get maintain of the user ID and authentication token, and subsequently, use that facts to extract profile information and messages using the API’s “profile” and “messages” endpoints.
Recall Ashley Madison Breach and Blackmail Threats?
While the vulnerabilities had been not exploited in the wild, the episode is still a different reminder of how poor actors could have taken gain of the flaws to threaten victims with black and extortion.
Immediately after Ashley Madison, an adult courting service catering to married folks seeking partners for affairs was hacked in 2015 and information and facts about its 32 million consumers was posted to the dim website, it led to a increase in phishing and sextortion campaigns, with blackmailers reportedly sending personalised e-mails to the end users, threatening to expose their membership to mates and household unless of course they pay cash.
“The dire have to have for privacy and details protection turns into significantly far more important when so considerably private and personal information and facts is getting stored, managed and analyzed in an app,” the scientists concluded. “The app and platform was developed to bring people collectively, but of study course where by people go, criminals will stick to, wanting for effortless pickings.”