Hacker, 22, seeks LTR with important computer data: weaknesses entirely on popular dating app that is okCupid
No Real Daters Harmed in This Workout
Analysis by Alon Boxiner, Eran Vaknin
With more than 50 million users that are registered its launch, as well as the bulk aged between 25 and 34, OkCupid is one of the most popular dating platforms globally. Conceived in 2004 whenever four buddies from Harvard developed initial free online dating service, it claims that over 91 million connections are produced it became the first major dating site to create a mobile app through it annually, 50K dates made every week and in 2012.
Dating apps allow an appropriate, accessible and immediate experience of other people utilizing the software. By sharing individual choices in almost any area, and using the app’s advanced algorithm, it gathers users to like-minded those who can instantly begin interacting via instant texting.
To produce every one of these connections, OkCupid builds personal pages for all its users, so that it will make the best match, or matches, predicated on each user’s valuable private information.
Needless to say, these detail by detail individual pages are not just of great interest to love that is potential. They’re also very prized by code hackers, as they’re the ’gold standard’ of data either for usage in targeted assaults, and for offering on with other hacking groups, while they allow assault tries to be very convincing to naive objectives.
As our scientists have uncovered weaknesses in other popular social networking platforms and apps, we chose to check out the app that is okCupid see whenever we can find something that matched our interests. And now we discovered things that are several led us in to deeper relationship (purely expert, needless to say). OkCupidThe weaknesses we discovered and possess described in this extensive research may have allowed attackers to:
- Expose users’ sensitive data saved from the software.
- Perform actions with respect to the victim.
- Steals users’ profile and data that are private choices and traits.
- Steals users’ authentication token, users’ IDs, along with other delicate information such as e-mail addresses.
- Send the info collected to the attacker’s host.
Always check Point Research informed OkCupid developers about the vulnerabilities exposed in this research and a remedy ended up being responsibly implemented to make sure its users can properly carry on using the OkCupid application.
OkCupid added: “Not a solitary individual ended up being influenced by the possibility vulnerability on OkCupid, and then we had the ability to correct it within 48 hours. We’re grateful to lovers like Checkpoint whom with OkCupid, place the privacy and safety of our users first. ”
Mobile Phone Platform
Deep links allow attackers’ intents
While reverse engineering the OkCupid application, we discovered so it has “deep links” functionality, making it possible to invoke intents when you look at the software using a web browser link.
The intents that the application listens to would be the “https: //OkCupid.com” schema, “OkCupid: //” custom schema and many more schemas:
A custom can be sent by an attacker website website link which contains the schemas mentioned above. The mobile application will open a webview (browser) window – OkCupid mobile application since the custom link will contain the“section” parameter. Any demand will be delivered using the users’ snacks.
For demonstration purposes, we utilized the link that is following
Reflected Cross-Site Scripting (XSS)
As our research proceeded, we now have found that OkCupid primary domain, https: //www. OkCupid.com, is susceptible to an XSS assault.
The injection point associated with the XSS assault ended up being based in the individual settings functionality.
Retrieving the consumer profile settings is created utilizing an HTTP GET demand provided for the following path:
For the true purpose of demonstration, we now have popped a clear alert screen. Note: even as we noted above, the mobile application is starting a WebView screen therefore the XSS is executed within the context of a authenticated individual utilising the OkCupid mobile application.
Fragile Data visibility & Performing actions with respect to the victim
The after screenshot shows an HTTP GET demand containing the last XSS payload (section parameter):
- Steal_token – Steals users’ verification token, oauthAccessToken, and also the users’ id, userid. Users’ sensitive information (PII), such as for instance current email address, is exfiltrated too.
- Steal_data – Steals users’ profile and data that are private preferences, users’ characteristics ( ag e.g. Responses filled during registration), and much more.
- Send_data_to_attacker – send the data collected in functions 1 and 2 towards the attacker’s host.
The big event produces a call that is api the host. Users cookies that are provided for the host because the XSS payload is performed into the context regarding the application’s WebView.
The server responds having A json that is vast the users’ id additionally the verification token also:
Steal information function:
The event produces an HTTP request to https: //www. OkCupid.com: 443/graphql endpoint.
On the basis of the information exfiltrated when you look at the steal_token function, the demand will be delivered using the verification token and also the user’s id.
The server reacts with the information about the victim’s profile, including e-mail, intimate orientation, height, family status, etc.
Forward data to attacker function:
The event creates a POST request to your attacker’s host containing all the details retrieved in the function that is previous (steal_token and steal_data functions).
The following screenshot shows an HTTP POST demand provided for the attacker’s host. The request human body contains all the victim’s information that is sensitive
An attacker can perform actions such as forward messages and alter profile data because of the information exfiltrated into the function that is steal_token
- Authentication token, oauthAccessToken, can be used within the authorization header (bearer value).
- Consumer id, userId, is added as required.
Note: An attacker cannot perform complete account takeover because the snacks are protected with HTTPOnly.
The details exfiltrated when you look at the function that is steal_token
- Authentication token, oauthAccessToken, is employed within the authorization header (bearer value).
- Consumer id, userId, is added as needed.
Note: An attacker cannot perform account that is full because the snacks are protected with HTTPOnly.
Internet System Vulnerabilities Mis-configured Cross-Origin Resource Sharing Policy Leads To Fragile Information Publicity
In the course of the research, we now have discovered that the CORS policy regarding the API server api. OkCupid.com just isn’t configured correctly and any beginning can send needs to your host and read its responses that are. The request that is following a demand delivered the API server through the beginning https: //OkCupidmeethehacker.com:
The host will not validate the origin properly and responds utilizing the required information. Furthermore, the host response contains Access-Control-Allow-Origin: https: //OkCupidmeethehacker.com and Access-Control-Allow-Credentials: real headers:
Only at that point on, we noticed that individuals can deliver demands towards the API host from our domain (OkCupidmeethehacker.com) without having to be obstructed because of the CORS policy.
The moment a target is authenticated on OkCupid application and browsing towards the attacker’s web application (https: //OkCupidmeethehacker.com), an HTTP GET demand is delivered to https: //api. OkCupid.com/1/native/bootstrap containing the victim’s cookies. The server’s reaction contains A json that is vast containing the victim’s authentication token (oauth_accesstoken) additionally the victim’s user_id.
We’re able to find a lot more helpful data in the bootstrap API endpoint – sensitive and painful API endpoints when you look at the API host:
The after screenshot shows delicate PII data exfiltration from the /profile/ API endpoint, with the victim’s user_id plus the access_token:
The screenshot that is following exfiltration associated with victim’s communications through the /1/messages/ API endpoint, utilising the victim’s user_id therefore the access_token: