The checkpoint research team reported a slew of flaws in OkCupid’s popular dating app, allowing attackers to collect users’ sensitive information, change their profile, or even send messages from their profile. Cybersecurity experts reacted below on this research.
Numerous dating apps have been found to have security flaws and to be collecting and sharing information about users\’ profiles, chat contents, and even their financial information. Dating app users should carefully research any dating app\’s privacy policy before signing up, and should only sign up for services that collect and share as little information as possible about their users.
This story is rather alarmist as the vulnerabilities described have been fixed by OkCupid. In fact, they state that they were grateful for the information and took steps to mitigate the threats within 48 hours. Furthermore, it would appear there was no evidence to suggest any user data was breached. As a platform provider, they have acted swiftly and properly although they ought to have been checking their App and webpage regularly for bugs and flaws themselves. Mobile dating apps are particularly attractive to Cybercriminals due to the sensitive nature of much of the personal data and imagery they contain. Users should always check the security credentials of such services and follow some basic personal security protocols to protect themselves from blackmail, extortion, and other associated criminal methodologies surrounding online data. It’s extremely naive and dangerous to place all security responsibilities upon the platform provider and not take steps to protect yourself as well.
With the ability to send messages to users, the chances of social engineering within the application are high. There is both a mobile and web interface which gives attackers the possibility to script sending messages to various users with the aim of compromising user profiles. Setting up fake accounts with attractive photos has been used before in phishing attacks and could certainly be used again. Once an account is compromised, the attackers could use that account to facilitate additional compromise by sending more messages to their contacts.
Like most XSS issues involving social engineering, an attacker would need to distribute a malicious link to users, and users would need to click on it. Normally this works only when the user is already logged in to a web application.
In this case, the Android app is configured to automatically open OkCupid-related URLs the user clicks on. As such, if an attacker manages to send specially crafted URLs to mobile users (e.g., via a chat application), then upon clicking these links, the OkCupid app would load the link much like a normal web browser would. The interesting thing here is that the OkCupid app is almost always logged in to the OkCupid website and is widely used by users.
Thus, by using the Android app in the attack workflow, the vulnerable user base is increased compared to just launching this attack in a way that only web-app users are vulnerable.