No Actual Daters Harmed in This Workout
Analysis by Alon Boxiner, Eran Vaknin
With more than 50 million users that are registered its launch, plus the bulk aged between 25 and 34, OkCupid the most popular dating platforms globally. Conceived in 2004 whenever four buddies from Harvard created initial free online dating service, it claims that more than 91 million connections are produced through it annually, 50K times made every week plus in 2012 it became the initial major dating internet site to generate a mobile software.
Dating apps enable a cushty, available and connection that is immediate other people making use of the software. By sharing individual choices in every area, and using the app’s algorithm that is sophisticated it gathers users to like-minded individuals who can instantly begin interacting via instant texting.
To produce each one of these connections, OkCupid develops personal pages for many its users, therefore it makes the match that is best, or matches, centered on each user’s valuable private information.
Needless to say, these step-by-step individual pages are not only of great interest to love that is potential. They’re also extremely prized by code hackers, as they’re the ’gold standard’ of data either for use in targeted attacks, or even for attempting to sell on with other hacking groups, while they allow assault tries to be extremely convincing to naive goals.
As our scientists have uncovered vulnerabilities various other popular social media marketing platforms and apps, we chose to check out the OkCupid application and see whenever we may find something that matched our passions. And we also discovered things that are several led us into a much much deeper relationship (solely expert, needless to say). OkCupidThe weaknesses we discovered and have now described in this research might have permitted attackers to:
Check always Point Research informed OkCupid developers about the weaknesses exposed in this research and an answer had been responsibly implemented to make sure its users can properly continue using the OkCupid software.
OkCupid added: “Not a solitary individual had been influenced by the possible vulnerability on OkCupid, and then we had the ability to repair it within 48 hours. We’re grateful to lovers like Checkpoint whom with OkCupid, place the privacy and safety of y our users first.”
Cellphone Platform
We started our research with some reverse engineering the OkCupid Android os mobile phone application (v40.3.1 on Android 6.0.1). Through the reversing procedure, we unearthed that the program is starting a WebView (and allows JavaScript to perform within the context for the window that is webView and loads remote URLs such as , me and much more.
Deep links allow attackers’ intents
While reverse engineering the OkCupid application, we discovered so it has “deep links” functionality, to be able to invoke intents into the software using a web browser website link.
The intents that the application form listens to would be the schema, customized schema and lots of more schemas:
A custom can be sent by an attacker website website link which contains the schemas mentioned above. The mobile application will open a webview (browser) window – OkCupid mobile application since the custom link will contain the“section” parameter. Any demand shall be delivered aided by the users’ snacks.
For demonstration purposes, we used the link that is following
The mobile application starts a webview ( web web browser) window with JavaScript enabled.
Reflected Cross-Site Scripting (XSS)
As our research proceeded, we now have discovered that OkCupid primary domain, , is vulnerable to an XSS assault.
The injection point for the XSS assault ended up being based in the individual settings functionality.
Retrieving an individual profile settings is created utilizing an HTTP GET demand sent to the following path:
The area parameter is injectable and a hacker could apply it so that you can inject harmful code that is javaScript.
For the true purpose of demonstration, we now have popped a clear window that is alert. Note: even as we noted above, the mobile application is opening a WebView screen therefore the XSS is performed within the context of a authenticated individual utilising the OkCupid mobile application.
Fragile Data visibility & Performing actions on behalf of the target
Up to this time, we’re able to launch the OkCupid mobile application making use of a deep website website website link, containing a harmful JavaScript rule into the part parameter. The after screenshot shows the ultimate XSS payload which loads jQuery and then lots JavaScript rule through the attacker’s host: (please be aware the top of part provides the XSS payload in addition to base section is the identical payload encoded with URL encoding):