Hacker, 22, seeks LTR with your computer data: vulnerabilities entirely on popular dating app that is okCupid

Hacker, 22, seeks LTR with your computer data: vulnerabilities entirely on popular dating app that is okCupid

No Real Daters Harmed in This Workout

Research by Alon Boxiner, Eran Vaknin

With over 50 million users since its launch, while the bulk aged between 25 and 34, OkCupid the most popular dating platforms globally. Conceived in 2004 whenever four friends from Harvard created initial free online dating service, it claims that more than 91 million connections are manufactured it became the first major dating site to create a mobile app through it annually, 50K dates made every week and in 2012.

Dating apps enable an appropriate, available and instant experience of other people utilizing the application. By sharing individual choices in almost any area, and using the app’s advanced algorithm, it collects users to like-minded those who can immediately begin interacting via instant texting.

To produce every one of these connections, OkCupid develops personal pages for many its users, so that it will make the match that is best, or matches, centered on each user’s valuable information that is personal.

Needless to say, these step-by-step individual pages are not merely of great interest to possible love matches. They’re also very prized by code hackers, as they’re the ’gold standard’ of data either to be used in targeted assaults, or even for offering on with other hacking groups, because they make it possible for assault tries to be highly convincing to naive goals.

As our scientists have uncovered weaknesses various other popular social media marketing platforms and apps, we made a decision to research the OkCupid software and see when we may find something that matched our passions. And we also found a number of things that led us in to a much much deeper relationship (purely professional, needless to say). OkCupidThe weaknesses we discovered and also have described in this research might have permitted attackers to:

  • Expose users’ sensitive data saved from the application.
  • Perform actions with respect to the target.
  • Steals users’ profile and personal data, choices and traits.
  • Steals users’ authentication token, users’ IDs, as well as other sensitive information such as e-mail details.
  • Forward the info collected in to the attacker’s server.

Check always Point Research informed OkCupid developers in regards to the weaknesses exposed in this research and a remedy was responsibly implemented to make sure its users can properly keep using the OkCupid application.

OkCupid added: “Not a solitary individual was influenced by the possibility vulnerability on OkCupid, and now we had the ability to correct it within 48 hours. We’re grateful to lovers like Checkpoint whom with OkCupid, place the security and privacy of y our users first. ”

Cellphone Platform

We started our research with some reverse engineering the OkCupid Android os Cellphone application (v40.3.1 on Android 6.0.1). Through the reversing procedure, we found that the application is starting a WebView (and allows JavaScript to perform within the context of this WebView window) and loads remote URLs such as for instance https: //OkCupid.com, https: //www. OkCupid.com, https: //OkCupid. Onelink.me and much more.

Deep links help attackers’ intents

While reverse engineering the OkCupid application, we found so it has “deep links” functionality, to be able to invoke intents into the software using a web browser website link.

The intents that the application form listens to would be the “https: //OkCupid.com” schema, “OkCupid: //” custom schema and lots of more schemas:

An assailant can send a custom link which has the schemas www.datingreviewer.net/zoosk-review/ mentioned above. Considering that the customized link will support the “section” parameter, the mobile application will start a webview (browser) screen – OkCupid mobile application. Any demand shall be sent aided by the users’ cookies.

For demonstration purposes, we utilized the following link:

The application that is mobile a webview ( web browser) window with JavaScript enabled.

Reflected Cross-Site Scripting (XSS)

As our research continued, we now have discovered that OkCupid main domain, https: //www. OkCupid.com, is susceptible to an XSS assault.

The injection point for the XSS attack had been based in the individual settings functionality.

Retrieving the consumer profile settings is created using an HTTP GET demand provided for the path that is following

The part parameter is injectable and a hacker could put it to use so that you can inject malicious code that is javaScript.

For the intended purpose of demonstration, we now have popped a clear alert screen. Note: even as we noted above, the mobile application is starting a WebView screen so that the XSS is executed when you look at the context of a authenticated individual utilising the OkCupid mobile application.

Fragile Data Exposure & Performing actions with respect to the target

As much as this aspect, we’re able to launch the OkCupid application that is mobile a deep website link, OkCupid: //, containing a harmful JavaScript code within the area parameter. The screenshot that is following the last XSS payload which loads jQuery and then lots JavaScript rule through the attacker’s host: (take note top of the area provides the XSS payload together with bottom section is the identical payload encoded with URL encoding):

The following screenshot shows an HTTP GET request containing the ultimate XSS payload (part parameter):

The server replicates the payload sent previous into the area parameter therefore the injected JavaScript code is performed when you look at the context associated with WebView.

As previously mentioned before, the ultimate XSS payload loads a script file through the attacker’s host. The loaded JavaScript code will be properly used for exfiltration and account contains 3 functions:

  1. Steal_token – Steals users’ authentication token, oauthAccessToken, and also the users’ id, userid. Users’ sensitive information (PII), such as for instance current email address, is exfiltrated too.
  2. Steal_data – Steals users’ profile and data that are private preferences, users’ characteristics ( e.g. Responses filled during registration), and much more.
  3. Send_data_to_attacker – send the data collected in functions 1 and 2 towards the attacker’s server.

Steal_token function:

The event produces a call that is api the host. Users’ snacks are delivered to the server considering that the XSS payload is performed within the context of this application’s WebView.

The server responds having a vast json containing the users’ id therefore the verification token also:

Steal data function:

An HTTP is created by the function request to https: //www. OkCupid.com: 443/graphql endpoint.

On the basis of the information exfiltrated in the function that is steal_token the demand will be sent using the verification token while the user’s id.

The server reacts with the information about the victim’s profile, including e-mail, intimate orientation, height, family members status, etc.

Forward information to attacker function:

The function creates a POST request towards the attacker’s server containing all the details retrieved in the previous function phone calls (steal_token and steal_data functions).

The after screenshot demonstrates an HTTP POST request sent to the attacker’s host. The demand human body contains all the victim’s information that is sensitive

Performing actions with respect to the victim can be feasible as a result of the exfiltration of this victim’s verification token as well as the users’ id. These details can be used into the malicious JavaScript rule (just like used in the steal_data function).

An assailant can perform actions such as forward messages and alter profile data because of the information exfiltrated into the steal_token function:

  1. Authentication token, oauthAccessToken, can be used into the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform account that is full because the snacks are protected with HTTPOnly.

The information and knowledge exfiltrated into the steal_token function:

  1. Authentication token, oauthAccessToken, is employed when you look at the authorization header (bearer value).
  2. User id, userId, is added as required.

Note: An attacker cannot perform full account takeover because the snacks are protected with HTTPOnly.

Internet System Vulnerabilities Mis-configured Cross-Origin Site Sharing Policy Contributes To Fragile Information Publicity

For the duration of the research, we now have unearthed that the CORS policy regarding the API host api. OkCupid.com just isn’t configured correctly and any beginning can deliver demands into the server and read its responses that are. The after request shows a demand delivered the API server through the beginning https: //OkCupidmeethehacker.com:

The host doesn’t validate the origin properly and reacts with all the requested information. Furthermore, the server reaction contains Access-Control-Allow-Origin: https: //OkCupidmeethehacker.com and Access-Control-Allow-Credentials: real headers:

As of this true point on, we knew that individuals can deliver requests to your API host from our domain (OkCupidmeethehacker.com) without having to be blocked because of the CORS policy.

Once a target is authenticated on OkCupid application and browsing towards the attacker’s web application (https: //OkCupidmeethehacker.com), an HTTP GET demand is sent to https: //api. OkCupid.com/1/native/bootstrap containing the victim’s snacks. The server’s response contains A json that is vast containing the victim’s verification token (oauth_accesstoken) plus the victim’s user_id.

We’re able to find more data that are useful the bootstrap API endpoint – sensitive API endpoints into the API host:

The after screenshot demonstrates sensitive and painful PII data exfiltration from the /profile/ API endpoint, with the victim’s user_id plus the access_token:

The screenshot that is following exfiltration associated with victim’s communications through the /1/messages/ API endpoint, with the victim’s user_id plus the access_token: