No Daters that is actual Harmed This Exercise
Analysis by Alon Boxiner, Eran Vaknin
With more than 50 million users since its launch, while the bulk aged between 25 and 34, OkCupid the most popular dating platforms globally. Conceived whenever four buddies from Harvard developed the initial free online dating service, it claims that more than 91 million connections are formulated it became the first major dating site to create a mobile app through it annually, 50K dates made every week and.
Dating apps enable a cushty, available and instant reference to other people with the software. By sharing individual choices in every area, and using the appвЂ™s advanced algorithm, it gathers users to like-minded those who can straight away begin interacting via instant texting.
To generate every one of these connections, OkCupid develops personal pages for many its users, so that it will make the most useful match, or matches, according to each userвЂ™s valuable private information.
Needless to say, these detail by detail personal pages are not only of great interest to prospective love matches. TheyвЂ™re also extremely prized by code hackers, as theyвЂ™re the вЂ™gold standardвЂ™ of data either to be used in targeted assaults, or even for attempting to sell on with other hacking groups, while they make it possible for assault tries to be extremely convincing to naive goals.
As our scientists have actually uncovered weaknesses various other popular social media marketing platforms and apps, we chose to check out the app that is okCupid see whenever we may find something that matched our interests. And we also discovered a number of things that led us right into a much much much deeper relationship (solely expert, needless to say). OkCupidThe weaknesses we discovered while having described in this extensive research might have permitted attackers to:
- Expose usersвЂ™ sensitive data saved regarding the application.
- Perform actions with transgender date.com respect to the target.
- Steals usersвЂ™ profile and data that are private choices and faculties.
- Steals usersвЂ™ authentication token, usersвЂ™ IDs, as well as other information that is sensitive as e-mail addresses.
- Forward the info collected to the attackerвЂ™s server.
Check always Point Research informed OkCupid developers in regards to the weaknesses exposed in this research and a remedy ended up being responsibly implemented to make certain its users can safely keep using the app that is okCupid.
OkCupid added: вЂњNot an user that is single relying on the possible vulnerability on OkCupid, so we could actually repair it within 48 hours. WeвЂ™re grateful to lovers like Checkpoint whom with OkCupid, place the security and privacy of our users first.вЂќ
Mobile Phone Platform
Deep links allow attackersвЂ™ intents
While reverse engineering the OkCupid application, we discovered so it has вЂњdeep linksвЂќ functionality, to be able to invoke intents within the software with a web browser website link.
The intents that the program listens to would be the schema, customized schema and lots of more schemas:
A custom can be sent by an attacker website website link which contains the schemas mentioned above. The mobile application will open a webview (browser) window вЂ“ OkCupid mobile application since the custom link will contain theвЂњsectionвЂќ parameter. Any demand shall be delivered because of the usersвЂ™ snacks.
For demonstration purposes, we utilized the link that is following
Reflected Scripting that is cross-Site(
As our research proceeded, we now have discovered that OkCupid primary domain, is susceptible to an XSS attack.
The injection point for the XSS assault ended up being based in the individual settings functionality.
Retrieving an individual profile settings is manufactured utilizing an HTTP GET request provided for the path that is following
For the intended purpose of demonstration, we now have popped a clear alert screen. Note: even as we noted above, the mobile application is starting a WebView screen so that the XSS is performed when you look at the context of an authenticated user utilising the OkCupid application that is mobile.