Research by Alon Boxiner, Eran Vaknin
With over 50 million users since its launch, while the bulk aged between 25 and 34, OkCupid the most popular dating platforms globally. Conceived in 2004 whenever four friends from Harvard created initial free online dating service, it claims that more than 91 million connections are manufactured it became the first major dating site to create a mobile app through it annually, 50K dates made every week and in 2012.
Dating apps enable an appropriate, available and instant experience of other people utilizing the application. By sharing individual choices in almost any area, and using the app’s advanced algorithm, it collects users to like-minded those who can immediately begin interacting via instant texting.
To produce every one of these connections, OkCupid develops personal pages for many its users, so that it will make the match that is best, or matches, centered on each user’s valuable information that is personal.
Needless to say, these step-by-step individual pages are not merely of great interest to possible love matches. They’re also very prized by code hackers, as they’re the ’gold standard’ of data either to be used in targeted assaults, or even for offering on with other hacking groups, because they make it possible for assault tries to be highly convincing to naive goals.
As our scientists have uncovered weaknesses various other popular social media marketing platforms and apps, we made a decision to research the OkCupid software and see when we may find something that matched our passions. And we also found a number of things that led us in to a much much deeper relationship (purely professional, needless to say). OkCupidThe weaknesses we discovered and also have described in this research might have permitted attackers to:
Check always Point Research informed OkCupid developers in regards to the weaknesses exposed in this research and a remedy was responsibly implemented to make sure its users can properly keep using the OkCupid application.
OkCupid added: “Not a solitary individual was influenced by the possibility vulnerability on OkCupid, and now we had the ability to correct it within 48 hours. We’re grateful to lovers like Checkpoint whom with OkCupid, place the security and privacy of y our users first. ”
While reverse engineering the OkCupid application, we found so it has “deep links” functionality, to be able to invoke intents into the software using a web browser website link.
The intents that the application form listens to would be the “https: //OkCupid.com” schema, “OkCupid: //” custom schema and lots of more schemas:
An assailant can send a custom link which has the schemas www.datingreviewer.net/zoosk-review/ mentioned above. Considering that the customized link will support the “section” parameter, the mobile application will start a webview (browser) screen – OkCupid mobile application. Any demand shall be sent aided by the users’ cookies.
For demonstration purposes, we utilized the following link:
As our research continued, we now have discovered that OkCupid main domain, https: //www. OkCupid.com, is susceptible to an XSS assault.
The injection point for the XSS attack had been based in the individual settings functionality.
Retrieving the consumer profile settings is created using an HTTP GET demand provided for the path that is following
For the intended purpose of demonstration, we now have popped a clear alert screen. Note: even as we noted above, the mobile application is starting a WebView screen so that the XSS is executed when you look at the context of a authenticated individual utilising the OkCupid mobile application.
The following screenshot shows an HTTP GET request containing the ultimate XSS payload (part parameter):
The event produces a call that is api the host. Users’ snacks are delivered to the server considering that the XSS payload is performed within the context of this application’s WebView.
The server responds having a vast json containing the users’ id therefore the verification token also:
An HTTP is created by the function request to https: //www. OkCupid.com: 443/graphql endpoint.
On the basis of the information exfiltrated in the function that is steal_token the demand will be sent using the verification token while the user’s id.
The server reacts with the information about the victim’s profile, including e-mail, intimate orientation, height, family members status, etc.
The function creates a POST request towards the attacker’s server containing all the details retrieved in the previous function phone calls (steal_token and steal_data functions).
The after screenshot demonstrates an HTTP POST request sent to the attacker’s host. The demand human body contains all the victim’s information that is sensitive
An assailant can perform actions such as forward messages and alter profile data because of the information exfiltrated into the steal_token function:
Note: An attacker cannot perform account that is full because the snacks are protected with HTTPOnly.
The information and knowledge exfiltrated into the steal_token function:
Note: An attacker cannot perform full account takeover because the snacks are protected with HTTPOnly.
For the duration of the research, we now have unearthed that the CORS policy regarding the API host api. OkCupid.com just isn’t configured correctly and any beginning can deliver demands into the server and read its responses that are. The after request shows a demand delivered the API server through the beginning https: //OkCupidmeethehacker.com:
The host doesn’t validate the origin properly and reacts with all the requested information. Furthermore, the server reaction contains Access-Control-Allow-Origin: https: //OkCupidmeethehacker.com and Access-Control-Allow-Credentials: real headers:
As of this true point on, we knew that individuals can deliver requests to your API host from our domain (OkCupidmeethehacker.com) without having to be blocked because of the CORS policy.
Once a target is authenticated on OkCupid application and browsing towards the attacker’s web application (https: //OkCupidmeethehacker.com), an HTTP GET demand is sent to https: //api. OkCupid.com/1/native/bootstrap containing the victim’s snacks. The server’s response contains A json that is vast containing the victim’s verification token (oauth_accesstoken) plus the victim’s user_id.
We’re able to find more data that are useful the bootstrap API endpoint – sensitive API endpoints into the API host:
The after screenshot demonstrates sensitive and painful PII data exfiltration from the /profile/ API endpoint, with the victim’s user_id plus the access_token:
The screenshot that is following exfiltration associated with victim’s communications through the /1/messages/ API endpoint, with the victim’s user_id plus the access_token: