Hacker, 22, seeks LTR with your computer data: weaknesses found on popular dating app that is okCupid

No Real Daters Harmed in This Exercise

Research by Alon Boxiner, Eran Vaknin

With more than 50 million users that are registered its launch, as well as the bulk aged between 25 and 34, OkCupid the most popular dating platforms globally. Conceived in 2004 whenever four buddies from Harvard developed initial free online dating service, it claims that more than 91 million connections are produced through it annually, 50K dates made every week plus in 2012 it became the very first major dating internet site to generate a mobile software.

Dating apps enable a cushty, available and connection that is immediate other people with the software. By sharing personal choices in virtually any area, and using the app’s algorithm that is sophisticated it gathers users to like-minded individuals who can straight away begin interacting via instant texting.

To generate every one of these connections, OkCupid develops personal pages for several its users, so that it makes the most readily useful match, or matches, according to each user’s valuable information that is personal.

Needless to say, these detail by detail individual pages are not merely of great interest to prospective love matches. They’re also very prized by code hackers, as they’re the ’gold standard’ of information either to be used in targeted assaults, or even for selling on to other hacking groups, because they allow assault tries to be extremely convincing to naive goals.

As our researchers have uncovered weaknesses various other popular social networking platforms and apps, we made a decision to check out the app that is okCupid see if we can find something that matched our interests. So we discovered a number of things that led us right into a much much deeper relationship (solely expert, needless to say). OkCupidThe weaknesses we discovered and now have described in this research might have permitted attackers to:

  • Expose users’ sensitive data stored regarding the application.
  • Perform actions with respect to the target.
  • Steals users’ profile and data that are private choices and traits.
  • Steals users’ authentication token, users’ IDs, as well as other information that is sensitive as e-mail addresses.
  • Forward the data collected in to the attacker’s host.

Check Point Research informed OkCupid developers in regards to the weaknesses exposed in this research and an answer had been responsibly implemented to make sure its users can safely keep using the OkCupid software.

OkCupid added: “Not an user that is single influenced by the possibility vulnerability on OkCupid, and we also could actually repair it within 48 hours. We’re grateful to lovers like Checkpoint whom with OkCupid, place the privacy and safety of our users first. ”

Mobile Phone Platform

We started our research with some reverse engineering the OkCupid Android os Cellphone application (v40.3.1 on Android 6.0.1). Through the reversing procedure, we found that the application is opening a WebView (and allows JavaScript to perform when you look at the context of this WebView window) and loads remote URLs such as for instance https: //OkCupid.com, https: //www. OkCupid.com, https: //OkCupid. Onelink.me and much more.

Deep links allow attackers’ intents

While reverse engineering the OkCupid application, we discovered so it has “deep links” functionality, to be able to invoke intents within the software via a web browser website link.

The intents that the program listens to would be the “https: //OkCupid.com” schema, “OkCupid: //” custom schema and lots of more schemas:

A custom can be sent by an attacker website link which has the schemas mentioned above. Considering that the customized website link will support the “section” parameter, the mobile application will start a webview (web browser) screen – OkCupid mobile application. Any demand will be delivered utilizing the users’ snacks.

For demonstration purposes, we used the link that is following

The mobile application starts a webview ( browser) window with JavaScript enabled.

Reflected Scripting that is cross-Site(

As our research continued, we now have discovered that OkCupid main domain, https: //www. OkCupid.com, is in danger of an XSS attack.

The injection point regarding the XSS assault had been based in the individual settings functionality.

Retrieving the consumer profile settings is manufactured having an HTTP GET request provided for the following path:

The part parameter is injectable and a hacker could put it to use to be able to inject malicious code that is javaScript.

For the intended purpose of demonstration, we now have popped an empty alert screen. Note: As we noted above, the mobile application is starting a WebView screen and so the XSS is executed into the context of a authenticated individual utilising the OkCupid application that is mobile.

Sensitive Data visibility & Performing actions with respect to the target

As much as this aspect, we’re able to launch the OkCupid mobile application utilizing a deep link, OkCupid: //, containing a harmful JavaScript rule when you look at the part parameter. The after screenshot shows the last XSS payload which loads jQuery and then lots JavaScript rule through the attacker’s host: (take note the top of area offers the XSS payload while the base section is similar payload encoded with URL encoding):

The after screenshot demonstrates an HTTP GET demand containing the last XSS payload (part parameter):

The host replicates the payload sent previous into the part parameter in addition to injected JavaScript code is performed into the context associated with WebView.

As previously mentioned before, the last XSS payload lots a script file through the attacker’s host. The loaded JavaScript code will be utilized for exfiltration and account contains 3 functions:

  1. Steal_token – Steals users’ authentication token, oauthAccessToken, therefore the users’ id, userid. Users’ sensitive information (PII), such as for example current email address, is exfiltrated aswell.
  2. Steal_data – Steals users’ profile and data that are private choices, users’ characteristics ( e.g. Answers filled during registration), and much more.
  3. Send_data_to_attacker – send the data collected in functions 1 and 2 into the attacker’s host.

Steal_token function:

The big event creates a call that is api the server. Users’ snacks are provided for the host because the XSS payload is performed within the context associated with the application’s WebView.

The host reacts by having A json that is vast the users’ id additionally the verification token also:

Steal data function:

The event produces an HTTP request to https: //www. OkCupid.com: 443/graphql endpoint.

On the basis of the information exfiltrated into the steal_token function, the demand has been delivered with all the verification token as well as the user’s id.

The server reacts while using the information about the victim’s profile, including email, intimate orientation, height, household status, etc.

Forward information to attacker function:

The big event creates a POST request towards the attacker’s host containing all the details retrieved in the function that is previous (steal_token and steal_data functions).

The screenshot that is following an HTTP POST demand provided for the attacker’s host. The demand human body contains all the victim’s information that is sensitive

Performing actions with respect to the victim can be feasible as a result of exfiltration for the victim’s verification token while the users’ id. These records is employed into the harmful JavaScript rule (in the same way used in the steal_data function).

An assailant can perform actions such as send messages and alter profile data because of the information exfiltrated within the steal_token function:

  1. Authentication token, oauthAccessToken, is employed into the authorization header (bearer value).
  2. Consumer id, userId, is added as required.

Note: An attacker cannot perform account that is full considering that the cookies are protected with HTTPOnly.

The details exfiltrated when you look at the function that is steal_token

  1. Authentication token, oauthAccessToken, is employed when you look at the authorization header (bearer value).
  2. User id, userId, is added as needed.

Note: An attacker cannot perform account that is full because the cookies are protected with HTTPOnly.

Internet System Vulnerabilities Mis-configured Cross-Origin Site Sharing Policy Results In Fragile Information Publicity

In the course of the study, we now have discovered that the CORS policy of this API server api. OkCupid.com just isn’t configured correctly and any origin can send needs towards the host and read its’ responses. The following demand demonstrates a demand delivered the API host through the beginning https: //OkCupidmeethehacker.com:

adventist singles sign in

The host will not validate the origin properly and responds with all the required information. Furthermore, the server reaction contains Access-Control-Allow-Origin: https: //OkCupidmeethehacker.com and Access-Control-Allow-Credentials: real headers:

Only at that point on, we knew that individuals can send needs towards the API host from our domain (OkCupidmeethehacker.com) without having to be obstructed because of the CORS policy.

Once a target is authenticated on OkCupid application and browsing to your attacker’s internet application (https: //OkCupidmeethehacker.com), an HTTP GET demand is delivered to https: //api. OkCupid.com/1/native/bootstrap containing the victim’s cookies. The server’s reaction contains A json that is vast containing the victim’s authentication token (oauth_accesstoken) and also the victim’s user_id.

We’re able to find a lot more data that are useful the bootstrap API endpoint – sensitive and painful API endpoints in the API host:

The following screenshot shows painful and sensitive PII data exfiltration from the /profile/ API endpoint, utilizing the victim’s user_id as well as the access_token:

The screenshot that is following exfiltration associated with the victim’s communications through the /1/messages/ API endpoint, utilising the victim’s user_id as well as the access_token: