Hacker, 22, seeks LTR with important computer data: vulnerabilities available on popular OkCupid dating app

Hacker, 22, seeks LTR with important computer data: vulnerabilities available on popular OkCupid dating app

No Real Daters Harmed in This Workout

Analysis by Alon Boxiner, Eran Vaknin

With more than 50 million new users since its launch, therefore the bulk aged between 25 and 34, OkCupid the most popular dating platforms globally. Conceived in 2004 whenever four buddies from Harvard created the initial free online dating service, it claims that more than 91 million connections are designed through it annually, 50K times made every week plus in 2012 it became the very first major dating website to generate a mobile software.

Dating apps allow a comfy, available and instant experience of other people utilising the software. By sharing individual choices in every area, and using the app’s advanced algorithm, it gathers users to like-minded individuals who can straight away begin communicating via instant messaging.

To produce each one of these connections, OkCupid builds personal profiles for many its users, therefore it could make the match that is best, or matches, according to each user’s valuable private information.

Needless to say, these step-by-step personal pages are not only of great interest to possible love matches. They’re also very prized by code hackers, as they’re the ’gold standard’ of data either for use in targeted attacks, or even for offering on with other hacking groups, while they permit assault tries to be extremely convincing to naive objectives.

As our researchers have uncovered weaknesses in other popular social media marketing platforms and apps, we chose to research the OkCupid application and see whenever we can find something that matched our interests. So we discovered unique that led us right into a much deeper relationship (purely expert, of course). OkCupidThe weaknesses we discovered and have now described in this extensive research might have permitted attackers to:

  • Expose users’ sensitive data saved regarding the application.
  • Perform actions on behalf of the victim.
  • Steals users’ profile and data that are private choices and faculties.
  • Steals users’ authentication token, users’ IDs, along with other delicate information such as e-mail details.
  • Forward the data collected in to the attacker’s server.

Check always Point Research informed OkCupid developers in regards to the vulnerabilities exposed in this research and an answer had been responsibly implemented to make sure its users can properly keep using the OkCupid application.

OkCupid added: “Not an user that is single relying on the possibility vulnerability on OkCupid, and now we had the ability to correct it within 48 hours. We’re grateful to lovers like Checkpoint who with OkCupid, place the privacy and safety of y our users first. ”

Cellphone Platform

We started our research with some reverse engineering the OkCupid Android os mobile phone application (v40.3.1 on Android 6.0.1). Throughout the reversing process, we found that the application form is starting a WebView (and allows JavaScript to perform into the context for the window that is webView and loads remote URLs such as for instance https: //OkCupid.com, https: //www. OkCupid.com, Https. Onelink.me that is: //OkCupid and more.

Deep links help attackers’ intents

While reverse engineering the OkCupid application, we found it has “deep links” functionality, to be able to invoke intents within the software with a web browser website link.

The intents that the application form listens to would be the “https: //OkCupid.com” schema, “OkCupid: //” custom schema and many more schemas:

A custom can be sent by an attacker link which contains the schemas mentioned above. Because the customized website link will support the “section” parameter, the mobile application will start a webview (web browser) screen – OkCupid mobile application. Any demand shall be delivered using the users’ snacks.

For demonstration purposes, we utilized the following link:

The mobile application opens a webview ( web web browser) window with JavaScript enabled.

Reflected Cross-Site Scripting (XSS)

As our research proceeded, we now have discovered that OkCupid primary domain, https: //www. OkCupid.com, is susceptible to an XSS assault.

The injection point of this XSS assault ended up being based in the individual settings functionality.

Retrieving the consumer profile settings is created making use of an HTTP GET request provided for the path that is following

The section parameter is injectable and a hacker could put it to use to be able to inject harmful JavaScript code.

For the true purpose of demonstration, we now have popped a clear window that is alert. Note: even as we noted above, the mobile application is starting a WebView screen so that the XSS is performed within the context of a authenticated individual making use of the OkCupid application that is mobile.

Sensitive Data visibility & Performing actions with respect to the victim

As much as this time, we’re able to launch the OkCupid application that is mobile a deep website link, OkCupid: //, containing a harmful JavaScript rule within the part parameter. The after screenshot shows the ultimate XSS payload which loads jQuery and then lots JavaScript rule through the attacker’s host: (take note the top of area offers the XSS payload in addition to base section is similar payload encoded with URL encoding):

The screenshot that is following an HTTP GET request containing the last XSS payload (part parameter):

The host replicates the payload sent previous when you look at the part parameter together with injected JavaScript code is executed within the context associated with WebView.

As previously mentioned before, the last XSS payload lots a script file through the attacker’s host. The loaded JavaScript code will be applied for exfiltration and account contains 3 functions: https://datingreviewer.net/okcupid-review/

  1. Steal_token – Steals users’ verification token, oauthAccessToken, plus the users’ id, userid. Users’ sensitive information (PII), such as for example current email address, is exfiltrated as well.
  2. Steal_data – Steals users’ profile and data that are private choices, users’ characteristics ( e.g. Responses filled during registration), and much more.
  3. Send_data_to_attacker – send the data collected in functions 1 and 2 towards the attacker’s server.

Steal_token function:

The big event creates a call that is api the host. Users cookies that are delivered to the host because the XSS payload is performed in the context regarding the application’s WebView.

The host reacts by having A json that is vast the users’ id therefore the verification token as well:

Steal information function:

The big event produces an HTTP request to https: //www. OkCupid.com: 443/graphql endpoint.

On the basis of the information exfiltrated when you look at the steal_token function, the demand has been delivered utilizing the authentication token and also the user’s id.

The server reacts with the information regarding the victim’s profile, including email, intimate orientation, height, household status, etc.

Send information to attacker function:

The event produces a POST request to the attacker’s host containing all the details retrieved in the function that is previous (steal_token and steal_data functions).

The screenshot that is following an HTTP POST demand provided for the attacker’s host. The demand body contains all the victim’s information that is sensitive

Performing actions with respect to the target can be feasible as a result of the exfiltration regarding the victim’s verification token additionally the users’ id. These details can be used within the harmful JavaScript code (just like used in the steal_data function).

An assailant can perform actions such as send messages and alter profile data due to the information exfiltrated when you look at the function that is steal_token

  1. Authentication token, oauthAccessToken, is employed into the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform account that is full because the snacks are protected with HTTPOnly.

The data exfiltrated into the function that is steal_token

  1. Authentication token, oauthAccessToken, can be used in the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform account that is full because the snacks are protected with HTTPOnly.

Internet Platform Vulnerabilities Mis-configured Cross-Origin Site Sharing Policy Contributes To Sensitive Information Publicity

For the duration of the investigation, we’ve unearthed that the CORS policy regarding the API host api. OkCupid.com is certainly not configured precisely and any beginning can deliver needs to your server and read its’ reactions. The request that is following a demand sent the API host through the beginning https: //OkCupidmeethehacker.com:

The host will not correctly validate the foundation and reacts aided by the requested information. Furthermore, the host response contains Access-Control-Allow-Origin: https: //OkCupidmeethehacker.com and Access-Control-Allow-Credentials: real headers:

Only at that true point on, we noticed that individuals can deliver needs towards the API host from our domain (OkCupidmeethehacker.com) without having to be blocked because of the CORS policy.

Once a target is authenticated on OkCupid browsing and application to your attacker’s web application (https: //OkCupidmeethehacker.com), an HTTP GET request is provided for https: //api. OkCupid.com/1/native/bootstrap containing the victim’s cookies. The server’s reaction includes A json that is vast containing the victim’s authentication token (oauth_accesstoken) plus the victim’s user_id.

We could find a lot more data that are useful the bootstrap API endpoint – sensitive and painful API endpoints into the API server:

The after screenshot demonstrates painful and sensitive PII data exfiltration from the /profile/ API endpoint, with the victim’s user_id while the access_token:

The after screenshot shows exfiltration associated with the victim’s communications through the /1/messages/ API endpoint, utilizing the victim’s user_id as well as the access_token:

Geef een reactie

Vul je gegevens in of klik op een icoon om in te loggen.

WordPress.com logo

Je reageert onder je WordPress.com account. Log uit /  Bijwerken )

Google photo

Je reageert onder je Google account. Log uit /  Bijwerken )


Je reageert onder je Twitter account. Log uit /  Bijwerken )

Facebook foto

Je reageert onder je Facebook account. Log uit /  Bijwerken )

Verbinden met %s