Hacker, 22, seeks LTR with important computer data: weaknesses available on popular OkCupid relationship application

March 31, 2021

No Daters that is actual Harmed This Workout

Analysis by Alon Boxiner, Eran Vaknin

With more than 50 million users that are registered its launch, therefore the bulk aged between 25 and 34, OkCupid the most popular dating platforms globally. Conceived whenever four buddies from Harvard developed the initial free online dating service, it claims that more than 91 million connections are produced it became the first major dating site to create a mobile app through it annually, 50K dates made every week and.

Dating apps enable a cushty, available and instant experience of other people with the application. By sharing individual choices in every area, and using the app’s algorithm that is sophisticated it gathers users to like-minded individuals who can instantly begin interacting via instant texting.

To generate all of these connections, OkCupid develops personal pages for many its users, therefore it will make the most useful match, or matches, predicated on each user’s valuable information that is personal.

Needless to say, these step-by-step individual pages are not only of great interest to love that is potential. They’re also very prized by code hackers, as they’re the ’gold standard’ of data either for usage in targeted assaults, or even for attempting to sell on with other hacking groups, because they allow assault tries to be very convincing to naive goals.

As our scientists have actually uncovered vulnerabilities various other popular social media marketing platforms and apps, we chose to research the app that is okCupid see when we may find something that matched our passions. And now we discovered things that are several led us right into much deeper relationship (solely expert, needless to say). OkCupidThe weaknesses we discovered and now have described in this research may have permitted attackers to:

  • Expose users’ sensitive data saved from the app.
  • Perform actions with respect to the target.
  • Steals users’ profile and personal data, choices and traits.
  • Steals users’ authentication token, users’ IDs, as well as other painful and sensitive information such as e-mail details.
  • Forward the info collected in to the attacker’s host.

Always check Point Research informed OkCupid developers in regards to the weaknesses exposed in this research and an answer ended up being responsibly implemented to make sure its users can safely carry on utilizing the app that is okCupid.

OkCupid added: “Not a solitary individual had been influenced by the possibility vulnerability on OkCupid, and we also had the ability to repair it within 48 hours. We’re grateful to lovers like Checkpoint whom with OkCupid, place the privacy and safety of our users first.”

Cellphone Platform

We started some reverse engineering to our research the OkCupid Android os mobile phone application (v40.3.1 on Android os 6.0.1). Throughout the reversing procedure, we unearthed that the program is starting a WebView (and enables JavaScript to perform into the context associated with window that is webView and loads remote URLs such as and much more.

Deep links allow attackers’ intents

While reverse engineering the OkCupid application, we discovered so it has “deep links” functionality, to be able to invoke intents when you look at the software with a web browser link.

The intents that the program listens to love and seek would be the schema, customized schema and lots of more schemas:

A custom can be sent by an attacker website website link which contains the schemas mentioned above. Considering that the custom website link will retain the “section” parameter, the mobile application will start a webview (web browser) screen – OkCupid mobile application. Any demand shall be delivered aided by the users’ snacks.

For demonstration purposes, we utilized the following link:

The mobile application starts a webview ( web web browser) window with JavaScript enabled.

Reflected Cross-Site Scripting (XSS)

As our research proceeded, we’ve discovered that OkCupid primary domain, is at risk of an XSS attack.

The injection point regarding the XSS assault had been based in the individual settings functionality.

Retrieving an individual profile settings is created having an HTTP GET demand provided for the following path:

The part parameter is injectable and a hacker could apply it to be able to inject harmful JavaScript rule.

For the intended purpose of demonstration, we now have popped a clear window that is alert. Note: even as we noted above, the mobile application is starting a WebView screen and so the XSS is executed within the context of a authenticated individual utilizing the OkCupid mobile application.