No Daters that is actual Harmed This Exercise
Analysis by Alon Boxiner, Eran Vaknin
With more than 50 million users that are registered its launch, additionally the bulk aged between 25 and 34, OkCupid the most popular dating platforms globally. Conceived whenever four buddies from Harvard developed the initial free online dating service, it claims that more than 91 million connections are built it became the first major dating site to create a mobile app through it annually, 50K dates made every week and.
Dating apps enable an appropriate, available and instant reference to other people making use of the application. By sharing individual choices in every area, and using the app’s advanced algorithm, it gathers users to like-minded individuals who can instantly begin interacting via instant texting.
To produce all those connections, OkCupid develops personal pages for several its users, therefore it will make the match that is best, or matches, predicated on each user’s valuable personal information.
Needless to say, these detail by detail individual profiles are not only of great interest to prospective love matches. They’re also extremely prized by code hackers, as they’re the ’gold standard’ of data either for usage in targeted assaults, and for offering on with other hacking groups, because they make it possible for assault tries to be extremely convincing to naive goals.
As our scientists have actually uncovered weaknesses in other popular social networking platforms and apps, we made a decision to research the app that is okCupid see when we can find something that matched our passions. And then we discovered a number of things that led us into much much deeper relationship (solely expert, needless to say). OkCupidThe weaknesses we discovered and have now described in this research might have permitted attackers to:
- Expose users’ sensitive data kept from the application.
- Perform actions with respect to the target.
- Steals users’ profile and data that are private choices and faculties.
- Steals users’ authentication token, users’ IDs, as well as other information that is sensitive as e-mail details.
- Forward the info collected in to the attacker’s host.
Check always Point Research informed OkCupid developers in regards to the weaknesses exposed in this research and an answer had been responsibly implemented to make certain its users can properly keep using the app that is okCupid.
OkCupid added: “Not an user that is single relying on the possible vulnerability on OkCupid, so we could actually correct it within 48 hours. We’re grateful to lovers like Checkpoint whom with OkCupid, place the privacy and safety of our users first.”
Mobile Phone Platform
We started some reverse engineering to our research the OkCupid Android Cellphone application (v40.3.1 on Android os 6.0.1). Through the reversing procedure, we unearthed that the application is starting a WebView (and allows JavaScript to perform into the context associated with the window that is webView and loads remote URLs such as and much more.
Deep links help attackers’ intents
While reverse engineering the OkCupid application, we discovered so it has “deep links” functionality, to be able to invoke intents within the software using a web browser website link.
The intents that the application form listens to would be the schema, customized schema and many more schemas:
An assailant can deliver a custom website link which contains the schemas mentioned above. The mobile application will open a webview (browser) window – OkCupid mobile application since the custom link will contain the“section” parameter. Any request shall be delivered because of the users’ snacks.
For demonstration purposes, we utilized the following link:
The mobile application starts a webview ( web browser) window with JavaScript enabled.
Reflected Scripting that is cross-Site(
As our research proceeded, we now have discovered that OkCupid primary domain, is at risk of an XSS assault.
The injection point associated with the XSS assault had been based in the individual settings functionality.
Retrieving an individual profile settings is manufactured utilizing an HTTP GET demand provided for the path that is following
The area parameter is injectable and a hacker could apply it so that you can inject harmful code that is javaScript.
For the true purpose of demonstration, we now have popped a clear alert screen. Note: even as we noted above, the mobile application is opening a WebView screen therefore the XSS is performed when you look at the context of a authenticated individual with the OkCupid mobile application.