Researchers have discovered a slew of issues in the popular OkCupid dating app, which could have allowed attackers to collect users’ sensitive dating information, manipulate their profile data or even send messages from their profile.
OkCupid is one of the most popular dating platforms worldwide, with more than 50 million registered users, mostly aged between 25 and 34. Researchers found flaws in both the Android mobile application and webpage of the service. These flaws could have potentially revealed a user’s full profile details, private messages, sexual orientation, personal addresses and all submitted answers to OKCupid’s profiling questions, they said.
The flaws are fixed, but “our research into OKCupid, which is one of the longest-standing and most popular applications in their sector, has led us to raise some serious questions over the security of dating apps,” said Oded Vanunu, head of products vulnerability research at Check Point Research, on Wednesday. “The fundamental questions being: How safe are my intimate details on the application? How easily can someone I don’t know access my most private photos, messages and details? We’ve learned that dating apps can be far from safe.”
Check Point researchers disclosed their findings to OKCupid, after which OkCupid acknowledged the issues and fixed the security flaws in their servers.
“Not a single user was impacted by the potential vulnerability on OkCupid, and we were able to fix it within 48 hours,” said OkCupid in a statement. “We’re grateful to partners like Check Point who with OkCupid, put the safety and privacy of our users first.”
The Flaws
To carry out the attack, a threat actor would need to convince OkCupid users to click on a single, malicious link in order to then execute malicious code into the web and mobile pages. An attacker could either send the link to the victim (either on OkCupid’s own platform, or on social media), or publish it in a public forum. Once the victim clicks on the malicious link, the data is then exfiltrated.
The reason this works is because the main OkCupid domain (https://www.OkCupid.com) was vulnerable to a cross-site scripting (XSS) attack. Upon reverse-engineering the OkCupid Android Mobile application (v40.3.1 on Android 6.0.1), researchers found the app listens to “intents” that follow custom schemas (such as the “OkCupid://” custom schema) via a browser link. Researchers were able to inject malicious JavaScript code into the “section” parameter of the user profile settings in the settings functionality (https://www.OkCupid.com/settings?section=<value>).
Attackers could use a XSS payload that loads a script file from an attacker controlled server, with JavaScript that can be used for data exfiltration. This could be utilized to steal users’ authentication tokens, account IDs, cookies, as well as sensitive account data like email addresses. It could also steal users’ profile data, as well as their private messages with others.
Then, using the authorization token and user ID, an attacker could execute actions such as changing profile data and sending messages from users’ profile account: “The attack ultimately enables an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user’s data,” according to researchers.
Dating Apps Under Scrutiny
It’s not the first time the OkCupid platform has had security flaws. In 2019, a critical flaw was found in the OkCupid app that could allow a bad actor to steal credentials, launch man-in-the-middle attacks or completely compromise the victim’s application. Separately, OKCupid denied a data breach after reports surfaced of users complaining that their accounts were hacked. Other dating apps – including Coffee Meets Bagel, MobiFriends and Grindr – have all had their share of privacy issues, and many notoriously collect and reserve the right to share information.
In June 2019, an analysis from ProPrivacy found that dating apps including Match and Tinder collect everything from chat content to financial data on their users — and then they share it. Their privacy policies also reserve the right to specifically share personal information with advertisers and other commercial business partners. The problem is that users are often unaware of these privacy practices.
“Every maker and user of a dating app should pause for a moment to reflect on what more can be done around security, especially as we enter what could be an imminent cyber pandemic,” Check Point’s Vanunu said. “Applications with sensitive personal information, like a dating app, have proven to be targets of hackers, hence the critical importance of securing them.”