Hacker, 22, seeks LTR with important computer data: vulnerabilities available on popular dating app that is okCupid

No Daters that is actual Harmed This Workout

Analysis by Alon Boxiner, Eran Vaknin

With more than 50 million new users since its launch, and also the bulk aged between 25 and 34, OkCupid the most popular dating platforms globally. Conceived in 2004 when four buddies from Harvard developed initial free online dating service, it claims that more than 91 million connections are designed it became the first major dating site to create a mobile app through it annually, 50K dates made every week and in 2012.

Dating apps enable a comfy, available and connection that is immediate others utilising the application. By sharing individual choices in almost any area, and using the app’s sophisticated algorithm, it gathers users to like-minded those who can immediately begin interacting via instant messaging.

To produce all those connections, OkCupid builds personal pages for many its users, so that it will make the match that is best, or matches, centered on each user’s valuable information that is personal.

Needless to say, these step-by-step personal pages are not merely of great interest to love that is potential. They’re also extremely prized by code hackers, as they’re the ’gold standard’ of data either to be used in targeted assaults, and for selling on with other hacking groups, because they permit attack attempts to be very convincing to unsuspecting objectives.

As our scientists have actually uncovered vulnerabilities in other popular social media marketing platforms and apps, we chose to check out the OkCupid application and see when we can find something that matched our passions. And now we discovered things that are several led us as deeper relationship (solely expert, of course). OkCupidThe weaknesses we discovered and now have described in this extensive research may have permitted attackers to:

  • Expose users’ sensitive data kept regarding the app.
  • Perform actions with respect to the victim.
  • Steals users’ profile and personal data, choices and faculties.
  • Steals users’ authentication token, users’ IDs, as well as other delicate information such as e-mail addresses.
  • Forward the info collected in to the attacker’s host.

Check always Point Research informed OkCupid developers in regards to the vulnerabilities exposed in this research and a remedy ended up being responsibly deployed to make sure its users can properly carry on making use of the app that is okCupid.

OkCupid added: “Not an user that is single relying on the possibility vulnerability on OkCupid, and now we could actually repair it within 48 hours. We’re grateful to partners like Checkpoint whom with OkCupid, place the privacy and safety of y our users first. ”

Mobile Phone Platform

We started our research with some reverse engineering the OkCupid Android os mobile phone application (v40.3.1 on Android 6.0.1). Throughout the reversing procedure, we found that the application is starting a WebView (and enables JavaScript to execute into the context associated with the window that is webView and loads remote URLs such as for example https: //OkCupid.com, https: //www. OkCupid.com, Https. Onelink.me this is certainly: //OkCupid and much more.

Deep links allow attackers’ intents

While reverse engineering the OkCupid application, we found it possible to invoke intents in the app via a browser link that it has “deep links” functionality, making.

The intents that the application form listens to would be the “https: //OkCupid.com” schema, “OkCupid: //” custom schema and lots of more schemas:

An attacker can deliver a custom link which has the schemas mentioned above. The mobile application will open a webview (browser) window – OkCupid mobile application since the custom link will contain the“section” parameter. Any demand will be sent with all the users’ snacks.

For demonstration purposes, we utilized the link that is following

The mobile application starts a webview ( web web browser) window with JavaScript enabled.

Reflected Cross-Site Scripting (XSS)

As our research proceeded, we now have discovered that OkCupid domain that is main https: //www. OkCupid.com, is susceptible to an XSS attack.

The injection point regarding the XSS assault had been found in the individual settings functionality.

Retrieving an individual profile settings is manufactured utilizing an HTTP GET request provided for the following path:

The area parameter is injectable and a hacker could apply it to be able to inject harmful JavaScript rule.

For the intended purpose of demonstration, we now have popped an empty alert screen. Note: even as we noted above, the mobile application is starting a WebView screen therefore the XSS is executed into the context of a authenticated individual utilising the OkCupid mobile application.

Fragile Data Exposure & Performing actions with respect to the target

As much as this aspect, we’re able to launch the OkCupid application that is mobile a deep website link, OkCupid: //, containing a harmful JavaScript rule within the area parameter. The after screenshot demonstrates the last XSS payload which loads jQuery and then lots JavaScript rule through the attacker’s host: (take note top of the area offers the XSS payload and also the base section is the same payload encoded with URL encoding):

The screenshot that is following an HTTP GET demand containing the last XSS payload (part parameter):

The host replicates the payload sent earlier into the day when you look at the area parameter and also the injected code that is javaScript performed into the context associated with WebView.

A script file from the attacker’s server as mentioned before, the final XSS payload loads. The loaded JavaScript code will be utilized for exfiltration and account contains 3 functions:

  1. Steal_token – afroromance Steals users’ authentication token, oauthAccessToken, in addition to users’ id, userid. Users’ sensitive information (PII), such as for instance current email address, is exfiltrated also.
  2. Steal_data – Steals users’ profile and private data, choices, users’ characteristics ( ag e.g. Responses filled during registration), and much more.
  3. Send_data_to_attacker – send the data collected in functions 1 and 2 to your attacker’s host.

Steal_token function:

The event produces a call that is api the host. Users’ cookies are delivered to the host because the XSS payload is performed into the context associated with the application’s WebView.

The server reacts having a vast json containing the users’ id and also the verification token also:

Steal information function:

The event produces an HTTP request to https: //www. OkCupid.com: 443/graphql endpoint.

On the basis of the information exfiltrated when you look at the steal_token function, the request has been delivered utilizing the authentication token while the user’s id.

The host reacts with the information about the victim’s profile, including e-mail, intimate orientation, height, household status, etc.

Send information to attacker function:

The big event produces a POST request towards the attacker’s host containing all the details retrieved in the function that is previous (steal_token and steal_data functions).

The after screenshot shows an HTTP POST demand provided for the attacker’s host. The demand human anatomy contains all the victim’s information that is sensitive

Performing actions with respect to the victim can be feasible as a result of exfiltration associated with victim’s verification token while the users’ id. These details can be used into the harmful JavaScript code (just like used in the steal_data function).

An assailant can execute actions such as send messages and alter profile data as a result of information exfiltrated within the function that is steal_token

  1. Authentication token, oauthAccessToken, is employed when you look at the authorization header (bearer value).
  2. Consumer id, userId, is added as required.

Note: An attacker cannot perform account that is full because the snacks are protected with HTTPOnly.

The information and knowledge exfiltrated within the function that is steal_token

  1. Authentication token, oauthAccessToken, is employed when you look at the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform account that is full considering that the snacks are protected with HTTPOnly.

Internet System Vulnerabilities Mis-configured Cross-Origin Site Sharing Policy Contributes To Sensitive Information Exposure

For the duration of the research, we have unearthed that the CORS policy regarding the API server api. OkCupid.com just isn’t configured correctly and any origin can deliver demands towards the server and read its’ responses. The request that is following a demand delivered the API host from the beginning https: //OkCupidmeethehacker.com:

The server doesn’t precisely validate the foundation and responds utilizing the required information. Furthermore, the host reaction contains Access-Control-Allow-Origin: https: //OkCupidmeethehacker.com and Access-Control-Allow-Credentials: true headers:

Only at that true point on, we recognized we can deliver demands towards the API server from our domain (OkCupidmeethehacker.com) without having to be blocked because of the CORS policy.

Once a victim is authenticated on OkCupid application and browsing towards the attacker’s internet application (https: //OkCupidmeethehacker.com), an HTTP GET demand is provided for https: //api. OkCupid.com/1/native/bootstrap containing the victim’s cookies. The server’s reaction includes A json that is vast containing the victim’s authentication token (oauth_accesstoken) additionally the victim’s user_id.

We’re able to find a lot more data that are useful the bootstrap API endpoint – sensitive API endpoints when you look at the API host:

The screenshot that is following sensitive and painful PII data exfiltration from the /profile/ API endpoint, utilizing the victim’s user_id plus the access_token:

The following screenshot demonstrates exfiltration for the victim’s messages through the /1/messages/ API endpoint, utilising the victim’s user_id plus the access_token:

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment