Cybersecurity researchers today disclosed several security issues in popular online dating platform OkCupid that could potentially let attackers remotely spy on users’ private information or perform malicious actions on behalf of the targeted accounts.
According to a report shared with The Hacker News, researchers from Check Point found that the flaws in OkCupid’s Android and web applications could allow the theft of users’ authentication tokens, users IDs, and other sensitive information such as email addresses, preferences, sexual orientation, and other private data.
After Check Point researchers responsibly shared their findings with OkCupid, the Match Group-owned company fixed the issues, stating, “not a single user was impacted by the potential vulnerability.”
The Chain of Flaws
The flaws were identified as part of reverse engineering of OkCupid’s Android app version 40.3.1, which was released on April 29 earlier this year. Since then, there have been 15 updates to the app with the most recent version (43.3.2) hitting Google Play Store yesterday.
Check Point said OkCupid’s use of deep links could enable a bad actor to send a custom link defined in the app’s manifest file to open a browser window with JavaScript enabled. Any such request was found to return the users’ cookies.
The researchers also uncovered a separate flaw in OkCupid’s settings functionality that makes it vulnerable to an XSS attack by injecting malicious JavaScript code using the “section” parameter as follows: “https://ift.tt/39IMjz8;
The aforementioned XSS attack can be augmented further by loading a JavaScript payload from an attacker-controlled server to steal authentication tokens, profile information, and user preferences, and transmit the amassed data back to the server.
“Users’ cookies are sent to the [OkCupid] server since the XSS payload is executed in the context of the application’s WebView,” the researchers said, outlining their method to capture the token information. “The server responds with a vast JSON containing the users’ id and the authentication token.”
Once in possession of the user ID and the token, an adversary can send a request to the “https://ift.tt/33bjidY; endpoint to fetch all the information associated with the victim’s profile (email address, sexual orientation, height, family status, and other personal preferences) as well as carry out actions on behalf of the compromised individual, such as send messages and change profile data.
However, a full account hijack is not possible as the cookies are protected with HTTPOnly, mitigating the risk of a client-side script accessing the protected cookie.
Lastly, an oversight in the Cross-Origin Resource Sharing (CORS) policy of the API server could have permitted an attacker to craft requests from any origin (e.g. “https://ift.tt/2Dfh0zM) in order to get hold of the user ID and authentication token, and subsequently, use that information to extract profile details and messages using the API’s “profile” and “messages” endpoints.
Remember Ashley Madison Breach and Blackmail Threats?
Although the vulnerabilities were not exploited in the wild, the episode is yet another reminder of how bad actors could have taken advantage of the flaws to threaten victims with black and extortion.
After Ashley Madison, an adult dating service catering to married individuals seeking partners for affairs was hacked in 2015 and information about its 32 million users was posted to the dark web, it led to a rise in phishing and sextortion campaigns, with blackmailers reportedly sending personalized emails to the users, threatening to reveal their membership to friends and family unless they pay money.
“The dire need for privacy and data security becomes far more crucial when so much private and intimate information is being stored, managed and analyzed in an app,” the researchers concluded. “The app and platform was created to bring people together, but of course where people go, criminals will follow, looking for easy pickings.”