Expert Comments

Experts Reaction Om OkCupid App & Web Security Flaws Discovered

Expert(s): Security Experts
Expert(s): Security Experts

The checkpoint research team reported a slew of flaws in OkCupid’s popular dating app, allowing attackers to collect users’ sensitive information, change their profile, or even send messages from their profile. Cybersecurity experts reacted below on this research.

Experts Comments

Dot Your Expert Comments
Chris Hauk
July 30, 2020
Consumer Privacy Champion
Pixel Privacy

Dating app users should carefully research any dating app's privacy policy before signing up.
Numerous dating apps have been found to have security flaws and to be collecting and sharing information about users' profiles, chat contents, and even their financial information. Dating app users should carefully research any dating app's privacy policy before signing up, and should only sign up for services that collect and share as little information as possible about their users.
Brian Higgins
July 30, 2020
Security Specialist
Comparitech.com

t’s extremely naive and dangerous to place all security responsibilities upon the platform provider and not take steps to protect yourself as well.
This story is rather alarmist as the vulnerabilities described have been fixed by OkCupid. In fact, they state that they were grateful for the information and took steps to mitigate the threats within 48 hours. Furthermore, it would appear there was no evidence to suggest any user data was breached. As a platform provider, they have acted swiftly and properly although they ought to have been checking their App and webpage regularly for bugs and flaws themselves. Mobile dating apps are.....Read More
This story is rather alarmist as the vulnerabilities described have been fixed by OkCupid. In fact, they state that they were grateful for the information and took steps to mitigate the threats within 48 hours. Furthermore, it would appear there was no evidence to suggest any user data was breached. As a platform provider, they have acted swiftly and properly although they ought to have been checking their App and webpage regularly for bugs and flaws themselves. Mobile dating apps are particularly attractive to Cybercriminals due to the sensitive nature of much of the personal data and imagery they contain. Users should always check the security credentials of such services and follow some basic personal security protocols to protect themselves from blackmail, extortion, and other associated criminal methodologies surrounding online data. It’s extremely naive and dangerous to place all security responsibilities upon the platform provider and not take steps to protect yourself as well.  Read Less
Thomas Richards
July 30, 2020
Principal Consultant
Synopsys

Once an account is compromised, the attackers could use that account to facilitate additional compromise.
With the ability to send messages to users, the chances of social engineering within the application are high. There is both a mobile and web interface which gives attackers the possibility to script sending messages to various users with the aim of compromising user profiles. Setting up fake accounts with attractive photos has been used before in phishing attacks and could certainly be used again. Once an account is compromised, the attackers could use that account to facilitate additional.....Read More
With the ability to send messages to users, the chances of social engineering within the application are high. There is both a mobile and web interface which gives attackers the possibility to script sending messages to various users with the aim of compromising user profiles. Setting up fake accounts with attractive photos has been used before in phishing attacks and could certainly be used again. Once an account is compromised, the attackers could use that account to facilitate additional compromise by sending more messages to their contacts.  Read Less
John Kozyrakis
July 30, 2020
Senior Security Research Engineer
Synopsys

The Android app is configured to automatically open OkCupid-related URLs the user clicks on.
Like most XSS issues involving social engineering, an attacker would need to distribute a malicious link to users, and users would need to click on it. Normally this works only when the user is already logged in to a web application. In this case, the Android app is configured to automatically open OkCupid-related URLs the user clicks on. As such, if an attacker manages to send specially crafted URLs to mobile users (e.g., via a chat application), then upon clicking these links, the OkCupid.....Read More
Like most XSS issues involving social engineering, an attacker would need to distribute a malicious link to users, and users would need to click on it. Normally this works only when the user is already logged in to a web application. In this case, the Android app is configured to automatically open OkCupid-related URLs the user clicks on. As such, if an attacker manages to send specially crafted URLs to mobile users (e.g., via a chat application), then upon clicking these links, the OkCupid app would load the link much like a normal web browser would. The interesting thing here is that the OkCupid app is almost always logged in to the OkCupid website and is widely used by users. Thus, by using the Android app in the attack workflow, the vulnerable user base is increased compared to just launching this attack in a way that only web-app users are vulnerable.  Read Less

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

Hackers Steal Wealth of Data from Game Giant EA

Researchers Create Un-hackable Quantum Network, Expert Weighs In

Italian Government Announces National Cybersecurity Agency

JBS Pays $11 Million Dollars in Cyber Ransom

Malware Stole 1.2TB Private Data From 3 Mil PCs

Experts React: RockYou2021, Largest Password Leak

Colonial Pipeline CEO Grilled by Senate but Experts Think Different

Experts Inisght On Security Threats Of VPN And What Organisations...

Kent School’s Suffer Cyberattack With Systems Offline And Data Stolen

NY City Law Dept Computer Systems Hacked & Shut Down...

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Privacy & Cookies Policy