FriendFinder phone number
Hacker, 22, seeks LTR with important computer data: weaknesses available on popular OkCupid dating application
No Actual Daters Harmed in This Workout
Research by Alon Boxiner, Eran Vaknin
With more than 50 million users that are registered its launch, plus the bulk aged between 25 and 34, OkCupid the most popular dating platforms globally. Conceived in 2004 whenever four friends from Harvard developed the initial free online dating service, it claims that more than 91 million connections are available through it annually, 50K times made every week plus in 2012 it became 1st major dating internet site to generate a mobile software.
Dating apps allow a cushty, available and connection that is immediate other people utilizing the software. By sharing personal preferences in just about any area, and using the app’s advanced algorithm, it gathers users to like-minded individuals who can instantly begin communicating via instant messaging.
To generate all of these connections, OkCupid develops personal profiles for several its users, therefore it could make the most readily useful match, or matches, according to each user’s valuable private information.
Needless to say, these detailed personal pages are not only of great interest to prospective love matches. They’re also highly prized by code hackers, as they’re the ’gold standard’ of data either for usage in targeted assaults, or for offering on with other hacking groups, while they allow assault tries to be very convincing to naive objectives.
As our scientists have actually uncovered weaknesses various other popular social media marketing platforms and apps, we made a decision to research the app that is okCupid see whenever we can find anything that matched our passions. And now we found a number of things that led us in to a much deeper relationship (purely expert, needless to say). OkCupidThe weaknesses we discovered and now have described in this extensive research might have permitted attackers to:
- Expose users’ sensitive data kept regarding the application.
- Perform actions with respect to the target.
- Steals users’ profile and data that are private choices and traits.
- Steals users’ authentication token, users’ IDs, along with other information that is sensitive as e-mail details.
- Forward the info collected to the attacker’s host.
Always check Point Research informed OkCupid developers in regards to the weaknesses exposed in this research and an answer ended up being responsibly deployed to make certain its users can properly keep using the app that is okCupid.
OkCupid added: “Not an user that is single influenced by the possibility vulnerability on OkCupid, and then we could actually repair it within 48 hours. We’re grateful to lovers like Checkpoint whom with OkCupid, place the security and privacy of our users first. ”
Mobile Platform
We started some reverse engineering to our research the OkCupid Android os mobile phone application (v40.3.1 on Android os 6.0.1). Through the reversing process, we unearthed that the application is starting a WebView (and allows JavaScript to execute within the context associated with the WebView screen) and loads remote URLs such as for example https: //OkCupid.com, https: //www. OkCupid.com, Https. Onelink.me that is: //OkCupid and much more.
Deep links allow attackers’ intents
While reverse engineering the OkCupid application, we discovered it possible to invoke intents in the app via a browser link that it has “deep links” functionality, making.
The intents that the program listens to would be the “https: //OkCupid.com” schema, “OkCupid: //” custom schema and many more schemas:
A custom can be sent by an attacker website website link that contains the schemas mentioned above. Because the customized website link will retain the “section” parameter, the mobile application will open a webview (web browser) screen – OkCupid mobile application. Any request will be delivered with all the users’ snacks.
For demonstration purposes, we utilized the following link:
The mobile application starts a webview ( web web browser) window with JavaScript enabled.
Reflected Scripting that is cross-Site(
As our research proceeded, we’ve discovered that OkCupid domain that is main https: //www. OkCupid.com, is susceptible to an XSS attack.
The injection point associated with XSS attack ended up being based in the individual settings functionality.
Retrieving an individual profile settings is created having an HTTP GET demand provided for the path that is following
The area parameter is injectable and a hacker could apply it to be able to inject harmful code that is javaScript.
For the true purpose of demonstration, we now have popped a clear window that is alert. Note: even as we noted above, the mobile application is starting a WebView screen and so the XSS is performed within the context of an authenticated individual with the OkCupid application that is mobile.
Fragile Data visibility & Performing actions with respect to the victim
As much as this point, we’re able to launch the OkCupid application that is mobile a deep website link, OkCupid: //, containing a harmful JavaScript code into the area parameter. The screenshot that is following the ultimate XSS payload which loads jQuery and then lots JavaScript rule through the attacker’s host: (take note the top of area offers the XSS payload while the base section is the identical payload encoded with URL encoding):
The following screenshot shows an HTTP GET demand containing the last XSS payload (part parameter):
The server replicates the payload sent earlier in the day within the section parameter therefore the injected JavaScript code is performed within the context of this WebView.
As mentioned before, the ultimate XSS payload lots a script file through the attacker’s host. The loaded code that is javaScript be applied for exfiltration and account contains 3 functions:
- Steal_token – Steals users’ verification token, oauthAccessToken, and also the users’ id, userid. Users’ sensitive information (PII), such as for example current email address, is exfiltrated aswell.
- Steal_data – Steals users’ profile and personal information, choices, users’ characteristics ( ag e.g. Answers filled during registration), and much more.
- Send_data_to_attacker – send the data collected in functions 1 and 2 into the attacker’s host.
Steal_token function:
The big event produces A api call to the host. Users’ snacks are provided for the host because the XSS payload is performed into the context of this application’s WebView.
The server reacts having A json that is vast the users’ id plus the verification token also:
Steal information function:
The event produces an HTTP request to https: //www. OkCupid.com: 443/graphql endpoint.
On the basis of the data exfiltrated within the steal_token function, the demand has been delivered using the authentication token additionally the user’s id.
The server reacts while using the information about the victim’s profile, including e-mail, intimate orientation, height, household status, etc.
Forward information to attacker function:
The event creates a POST request to your attacker’s host containing all the details retrieved in the function that is previous (steal_token and steal_data functions).
The after screenshot demonstrates an HTTP POST demand provided for the attacker’s host. The demand human body contains all the victim’s painful and sensitive information:
Performing actions on behalf of the target can also be possible as a result of the exfiltration associated with the victim’s authentication token together with users’ id. These details can be used within the harmful JavaScript code (in the same way used in the steal_data function).
An assailant can execute actions such as forward messages and alter profile data because of the information exfiltrated into the function that is steal_token
- Authentication token, oauthAccessToken, can be used into the authorization header (bearer value).
- Consumer id, userId, is added as needed.
Note: An attacker cannot perform account that is full considering that the snacks are protected with HTTPOnly.
The info exfiltrated into the function that is steal_token
- Authentication token, oauthAccessToken, can be used into the authorization header (bearer value).
- User id, userId, is added as needed.
Note: An attacker cannot perform account that is full because the snacks are protected with HTTPOnly.
Internet System Vulnerabilities Mis-configured Cross-Origin Site Sharing Policy Contributes To Sensitive Information Visibility
For the duration of the investigation, we now have unearthed that the CORS policy associated with API host api. OkCupid.com is certainly not configured precisely and any beginning can send demands towards the host and read its’ reactions. The request that is following a demand delivered the API host through the beginning https: //OkCupidmeethehacker.com:
The server will not validate the origin properly and responds because of the requested information. More over, the host reaction contains Access-Control-Allow-Origin: https: //OkCupidmeethehacker.com and Access-Control-Allow-Credentials: real headers:
Only at that true point on, we understood that people can send needs towards the API host from our domain 
The moment a victim is authenticated on OkCupid browsing and application to your attacker’s internet application (https: //OkCupidmeethehacker.com), an HTTP GET demand is provided for https: //api. OkCupid.com/1/native/bootstrap containing the victim’s snacks. The server’s reaction has a vast json, containing the victim’s authentication token (oauth_accesstoken) while the victim’s user_id.
We’re able to find much more helpful data in the bootstrap API endpoint – sensitive and painful API endpoints into the API host:
The after screenshot shows sensitive and painful PII data exfiltration from the /profile/ API endpoint, utilising the victim’s user_id while the access_token:
The after screenshot demonstrates exfiltration for the victim’s communications through the /1/messages/ API endpoint, making use of the victim’s user_id while the access_token: