Hacker, 22, seeks LTR with important computer data: weaknesses entirely on popular OkCupid relationship application

Hacker, 22, seeks LTR with important computer data: weaknesses entirely on popular OkCupid relationship application

No Daters that is actual Harmed This Workout

Analysis by Alon Boxiner, Eran Vaknin

With more than 50 million users since its launch, therefore the bulk aged between 25 and 34, OkCupid the most popular dating platforms globally. Conceived whenever four buddies from Harvard developed the initial free online dating service, it claims that more than 91 million connections are formulated through it annually, 50K times made every week also it became 1st major dating website to produce a mobile software.

Dating apps enable a comfy, available and connection that is immediate other people with the software. By sharing individual choices in virtually any area, and using the app’s advanced algorithm, it gathers users to like-minded those who can instantly begin interacting via instant texting.

To generate every one of these connections, OkCupid develops personal pages for several its users, so it will make the most useful match, or matches, predicated on each user’s valuable information that is personal.

Needless to say, these detail by detail individual pages are not only of great interest to prospective love matches. They’re also extremely prized by hackers, as they’re the ’gold standard’ of information either to be used in targeted assaults, or even for offering on with other hacking groups, because they make it possible for attack tries to be very convincing to naive objectives.

As our scientists have actually uncovered vulnerabilities various other popular social networking platforms and apps, we made a decision to research the OkCupid application and see whenever we can find something that matched our passions. And now we discovered a number of things that led us as a much deeper relationship (solely professional, needless to say). OkCupidThe weaknesses we found and now have described in this extensive research might have permitted attackers to:

  • Expose users’ sensitive data saved regarding the application.
  • Perform actions with respect to the target.
  • Steals users’ profile and data that are private choices and faculties.
  • Steals users’ authentication token, users’ IDs, as well as other delicate information such as e-mail details.
  • Forward the info collected to the attacker’s host.

Check always Point Research informed OkCupid developers in regards to the weaknesses exposed in this research and a remedy had been responsibly implemented to make sure its users can properly carry on utilizing the app that is okCupid.

OkCupid added: “Not an user that is single relying on the charmdate prospective vulnerability on OkCupid, so we could actually correct it within 48 hours. We’re grateful to lovers like Checkpoint whom with OkCupid, place the privacy and safety of y our users first.”

Mobile Phone Platform

We started our research with some reverse engineering the OkCupid Android os Cellphone application (v40.3.1 on Android os 6.0.1). Through the reversing procedure, we unearthed that the application form is starting a WebView (and allows JavaScript to perform when you look at the context associated with window that is webView and loads remote URLs such as and much more.

Deep links allow attackers’ intents

While reverse engineering the OkCupid application, we discovered it possible to invoke intents in the app via a browser link that it has “deep links” functionality, making.

The intents that the program listens to would be the schema, customized schema and many more schemas:

An attacker can deliver a custom website website link which has the schemas mentioned above. Considering that the customized website link will support the “section” parameter, the mobile application will start a webview (web browser) screen – OkCupid mobile application. Any demand shall be delivered because of the users’ cookies.

For demonstration purposes, we utilized the link that is following

The application that is mobile a webview ( web browser) window with JavaScript enabled.

Reflected Scripting that is cross-Site(

As our research proceeded, we’ve discovered that OkCupid primary domain, is at risk of an XSS assault.

The injection point associated with XSS assault ended up being based in the individual settings functionality.

Retrieving the consumer profile settings is created utilizing an HTTP GET demand provided for the following path:

The part parameter is injectable and a hacker could put it to use to be able to inject harmful code that is javaScript.

For the intended purpose of demonstration, we now have popped a clear alert screen. Note: even as we noted above, the mobile application is opening a WebView screen and so the XSS is performed when you look at the context of a authenticated individual utilising the OkCupid application that is mobile.

Leave a Reply

Your email address will not be published. Required fields are marked *

fourteen + 6 =