Hacker, 22, seeks LTR with important computer data: weaknesses available on popular dating app that is okCupid

No Real Daters Harmed in This Workout

Analysis by Alon Boxiner, Eran Vaknin

With more than 50 million users that are registered its launch, and also the bulk aged between 25 and 34, OkCupid is one of the most popular dating platforms globally. Conceived in 2004 whenever four buddies from Harvard developed initial free online dating site, it claims that more than 91 million connections are formulated it became the first major dating site to create a mobile app through it annually, 50K dates made every week and in 2012.

Dating apps allow a cushty, available and connection that is immediate other people utilizing the application. By sharing personal preferences in almost any area, and using the app’s algorithm that is sophisticated it gathers users to like-minded those who can immediately begin communicating via instant texting.

To produce all those connections, OkCupid develops personal pages for several its users, therefore it could make the match that is best, or matches, centered on each user’s valuable private information.

Needless to say, these step-by-step individual pages are not only of interest to love that is potential. They’re also very prized by hackers, as they’re the ’gold standard’ of data either to be used in targeted assaults, or even for offering on to other hacking groups, because they make it possible for assault tries to be extremely convincing to naive objectives.

As our researchers have uncovered weaknesses in other popular social media marketing platforms and apps, we made a decision to research the app that is okCupid see whenever we can find something that matched our passions. And then we discovered a number of things that led us in to deeper relationship (solely expert, needless to say). OkCupidThe weaknesses we discovered and possess described in this extensive research might have permitted attackers to:

  • Expose users’ sensitive data kept regarding the software.
  • Perform actions with respect to the target.
  • Steals users’ profile and personal data, choices and traits.
  • Steals users’ authentication token, users’ IDs, along with other information that is sensitive as e-mail addresses.
  • Forward the info gathered in to the attacker’s host.

Check Point Research informed OkCupid developers in regards to the weaknesses exposed in this research and an answer ended up being responsibly deployed to make sure its users can properly keep using the OkCupid software.

OkCupid added: “Not an user that is single influenced by the possibility vulnerability on OkCupid, and we also could actually correct it within 48 hours. date me mobile We’re grateful to partners like Checkpoint whom with OkCupid, place the security and privacy of y our users first. ”

Cellphone Platform

We started our research with some reverse engineering the OkCupid Android os Cellphone application (v40.3.1 on Android os 6.0.1). Through the reversing procedure, we unearthed that the program is starting a WebView (and allows JavaScript to perform within the context for the WebView screen) and loads remote URLs such as for instance https: //OkCupid.com, https: //www. OkCupid.com, Https. Onelink.me this is certainly: //OkCupid and much more.

Deep links help attackers’ intents

While reverse engineering the OkCupid application, we discovered it possible to invoke intents in the app via a browser link that it has “deep links” functionality, making.

The intents that the application form listens to would be the “https: //OkCupid.com” schema, “OkCupid: //” custom schema and many more schemas:

A custom can be sent by an attacker website website link which contains the schemas mentioned above. The mobile application will open a webview (browser) window – OkCupid mobile application since the custom link will contain the“section” parameter. Any demand will be delivered aided by the users’ snacks.

For demonstration purposes, we utilized the following link:

The application that is mobile a webview ( web browser) window with JavaScript enabled.

Reflected Scripting that is cross-Site(

As our research continued, we now have discovered that OkCupid primary domain, https: //www. OkCupid.com, is in danger of an XSS attack.

The injection point regarding the XSS assault had been based in the individual settings functionality.

Retrieving the consumer profile settings is made having an HTTP GET request provided for the path that is following

The part parameter is injectable and a hacker could apply it so that you can inject harmful JavaScript rule.

For the true purpose of demonstration, we now have popped a clear alert screen. Note: even as we noted above, the mobile application is starting a WebView screen and so the XSS is performed when you look at the context of a authenticated user making use of the OkCupid mobile application.

Sensitive Data visibility & Performing actions with respect to the victim

As much as this aspect, we’re able to launch the OkCupid mobile application utilizing a deep website link, OkCupid: //, containing a harmful JavaScript rule into the area parameter. The following screenshot shows the last XSS payload which loads jQuery and then loads JavaScript rule through the attacker’s host: (please be aware top of the area offers the XSS payload additionally the bottom section is the same payload encoded with URL encoding):

The after screenshot shows an HTTP GET demand containing the last XSS payload (part parameter):

The host replicates the payload sent previous within the area parameter together with injected JavaScript code is performed within the context of the WebView.

A script file from the attacker’s server as mentioned before, the final XSS payload loads. The loaded JavaScript code will be properly used for exfiltration and account contains 3 functions:

  1. Steal_token – Steals users’ authentication token, oauthAccessToken, and also the users’ id, userid. Users’ sensitive information (PII), such as for example current email address, is exfiltrated aswell.
  2. Steal_data – Steals users’ profile and data that are private choices, users’ characteristics ( ag e.g. Responses filled during registration), and more.
  3. Send_data_to_attacker – send the data collected in functions 1 and 2 to your attacker’s host.

Steal_token function:

The big event produces a call that is api the host. Users cookies that are provided for the host considering that the XSS payload is performed into the context associated with the application’s WebView.

The host reacts with A json that is vast the users’ id in addition to verification token also:

Steal information function:

The big event produces an HTTP request to https: //www. OkCupid.com: 443/graphql endpoint.

On the basis of the information exfiltrated within the steal_token function, the demand will be delivered with all the authentication token plus the user’s id.

The server reacts with the information about the victim’s profile, including e-mail, intimate orientation, height, household status, etc.

Forward information to attacker function:

The event produces a POST request towards the attacker’s host containing all the details retrieved in the function that is previous (steal_token and steal_data functions).

The screenshot that is following an HTTP POST demand provided for the attacker’s host. The demand human anatomy contains all the victim’s information that is sensitive

Performing actions with respect to the target can also be feasible as a result of exfiltration associated with the victim’s authentication token as well as the users’ id. These details is employed into the harmful JavaScript rule (just like used in the steal_data function).

An attacker can execute actions such as forward messages and alter profile data as a result of the information exfiltrated into the function that is steal_token

  1. Authentication token, oauthAccessToken, can be used into the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform account that is full considering that the snacks are protected with HTTPOnly.

The knowledge exfiltrated into the steal_token function:

  1. Authentication token, oauthAccessToken, can be used into the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform full account takeover because the snacks are protected with HTTPOnly.

Internet System Vulnerabilities Mis-configured Cross-Origin Resource Sharing Policy Results In Fragile Data Publicity

In the course of the investigation, we have unearthed that the CORS policy of this API server api. OkCupid.com just isn’t configured properly and any beginning can deliver demands towards the host and read its’ reactions. The after demand shows a demand delivered the API server through the beginning https: //OkCupidmeethehacker.com:

The host will not validate the origin properly and reacts aided by the required information. More over, the host response contains Access-Control-Allow-Origin: https: //OkCupidmeethehacker.com and Access-Control-Allow-Credentials: real headers:

As of this true point on, we discovered that individuals can send demands towards the API host from our domain (OkCupidmeethehacker.com) without getting blocked by the CORS policy.

The moment a target is authenticated on OkCupid browsing and application towards the attacker’s internet application (https: //OkCupidmeethehacker.com), an HTTP GET demand is delivered to https: //api. OkCupid.com/1/native/bootstrap containing the victim’s snacks. The server’s response includes A json that is vast containing the victim’s verification token (oauth_accesstoken) additionally the victim’s user_id.

We could find much more data that are useful the bootstrap API endpoint – sensitive API endpoints within the API host:

The following screenshot shows painful and sensitive PII data exfiltration from the /profile/ API endpoint, utilising the victim’s user_id as well as the access_token:

The screenshot that is following exfiltration for the victim’s communications through the /1/messages/ API endpoint, utilizing the victim’s user_id and also the access_token: