Researchers exploring OkCupid for security flaws have found a way which could be used by hackers to steal the sensitive data of users.
OkCupid, having more than 50 million registered users since its launch is one of the most popular dating apps which can organize around 50,000 dates per week.
Due to coronavirus pandemic and social distancing measures, meeting new people in a bar or other public space is difficult and many have opted online dating and virtual meetups as an alternative.
The dating platforms has experienced a 20% increase in conversations worldwide and a 10% increase in matches since the beginning of lockdowns imposed due to COVID-19.
Having a large user base however has an additional risk to personal data when security is not maintained well.
Check Point Research revealed a set of vulnerabilities in OkCupid that might lead to the exposure of sensitive profile data on the OkCupid app, the hijack of user accounts to perform various actions without their consent, and the theft of user authentication tokens, IDs and email addresses.
Here, the app in question is the android version 40.3.1 of OkCupid on Android 6.0.1 becoming the test subject.
The cybersecurity researchers reverse-engineered the mobile software and discovered “deep link” functionality, which indicates that an attacker can send custom, malicious links to open the mobile app.
When a targeted user clicks on a crafted link which has been sent personally through the app or posted on a public forum, their PII, profile data, user characteristics submitted while creating the profiles etc. could all be compromised and exfiltrated to the attacker’s command-and-control server (C2).
Since this vulnerability could be used to steal IDs and tokens, the attackers can also execute actions on their behalf, such as sending messages. Due to the presence of cookie protection, a full account takeover is however not possible.
The researchers also uncovered a misconfigured Cross-Origin Resource Sharing (CORS) policy in the API server of api.OkCupid.com, allowing any origin to send requests to the server and to read responses. Further attacks could lead to the filtration of user data from the profile API endpoint.
The huge trove of personal data possibly collected by attackers could be used in social engineering attempts, which might lead to even more damaging consequences.
OkCupid was contacted about the findings and the security issues have now been resolved.
The company acknowledged that none of the users were affected by the vulnerability and that they were able to fix the issue within 48 hours.