No Daters that is actual Harmed This Exercise
Analysis by Alon Boxiner, Eran Vaknin
With more than 50 million users that are registered its launch, as well as the bulk aged between 25 and 34, OkCupid is one of the most popular dating platforms globally. Conceived in 2004 whenever four friends from Harvard developed initial free online dating service, it claims that more than 91 million connections are designed it became the first major dating site to create a mobile app through it annually, 50K dates made every week and in 2012.
Dating apps enable a cushty, available and instant reference to other people with the software. By sharing personal preferences in every area, and using the app’s algorithm that is sophisticated it gathers users to like-minded those who can instantly begin communicating via instant messaging.
To generate every one of these connections, OkCupid develops personal profiles for many its users, so that it will make the match that is best, or matches, centered on each user’s valuable private information.
Needless to say, these detail by detail individual pages are not merely of great interest to possible love matches. They’re also extremely prized by code hackers, as they’re the ’gold standard’ of data either to be used in targeted attacks, and for selling on with other hacking groups, while they permit assault tries to be highly convincing to unsuspecting goals.
As our scientists have actually uncovered weaknesses various other popular social media marketing platforms and apps, we chose to research the OkCupid software and see when we can find something that matched our passions. And we discovered things that are several led us right into a much much deeper relationship (solely professional, of course). OkCupidThe vulnerabilities we discovered and also have described in this research might have permitted attackers to:
- Expose users’ sensitive data saved from the app.
- Perform actions on behalf of the target.
- Steals users’ profile and personal data, choices and traits.
- Steals users’ authentication token, users’ IDs, along with other delicate information such as e-mail addresses.
- Forward the info collected to the attacker’s host.
Check Point Research informed OkCupid developers in regards to the weaknesses exposed in this research and an answer was responsibly implemented to make sure its users can properly keep using the app that is okCupid.
OkCupid added: “Not a single individual had been relying on the possibility vulnerability on OkCupid, so we could actually correct it within 48 hours. We’re grateful to partners like Checkpoint whom with OkCupid, place the security and privacy of y our users first. ”
Cellphone Platform
We started our research with some reverse engineering the OkCupid Android os Mobile application (v40.3.1 on Android os 6.0.1). Throughout the reversing procedure, we unearthed that the program cougarlife.com review is starting a WebView (and allows JavaScript to execute into the context associated with window that is webView and loads remote URLs such as for instance https: //OkCupid.com, https: //www. OkCupid.com, https: //OkCupid. Onelink.me and much more.
Deep links enable attackers’ intents
While reverse engineering the OkCupid application, we discovered so it has “deep links” functionality, making it possible to invoke intents when you look at the software with a browser link.
The intents that the program listens to would be the “https: //OkCupid.com” schema, “OkCupid: //” custom schema and lots of more schemas:
A custom can be sent by an attacker website link which has the schemas mentioned above. The mobile application will open a webview (browser) window – OkCupid mobile application since the custom link will contain the“section” parameter. Any demand will be delivered aided by the users’ snacks.
For demonstration purposes, we used the following link:
The mobile application starts a webview ( web browser) window with JavaScript enabled.
Reflected Cross-Site Scripting (XSS)
As our research continued, we now have discovered that OkCupid primary domain, https: //www. OkCupid.com, is at risk of an XSS attack.
The injection point associated with XSS assault had been based in the user settings functionality.
Retrieving the consumer profile settings is manufactured having an HTTP GET demand provided for the following path:
The part parameter is injectable and a hacker could put it to use so that you can inject harmful JavaScript code.
For the true purpose of demonstration, we now have popped a clear window that is alert. Note: even as we noted above, the mobile application is starting a WebView screen and so the XSS is performed when you look at the context of an authenticated individual utilizing the OkCupid mobile application.
Fragile Data visibility & Performing actions with respect to the victim
As much as this time, we’re able to launch the OkCupid mobile application making use of a deep website link, OkCupid: //, containing a malicious JavaScript code within the area parameter. The after screenshot shows the ultimate XSS payload which loads jQuery and then lots JavaScript rule through the attacker’s host: (take note top of the area provides the XSS payload together with bottom section is the identical payload encoded with URL encoding):
The screenshot that is following an HTTP GET request containing the last XSS payload (part parameter):
The host replicates the payload sent previous into the part parameter and also the injected JavaScript code is performed into the context associated with WebView.
A script file from the attacker’s server as mentioned before, the final XSS payload loads. The loaded code that is javaScript be utilized for exfiltration and account contains 3 functions:
- Steal_token – Steals users’ verification token, oauthAccessToken, in addition to users’ id, userid. Users’ sensitive information (PII), such as for instance email, is exfiltrated aswell.
- Steal_data – Steals users’ profile and data that are private preferences, users’ characteristics ( e.g. Answers filled during registration), and much more.
- Send_data_to_attacker – send the data gathered in functions 1 and 2 to your attacker’s host.
Steal_token function:
The event produces A api call to the host. Users cookies that are provided for the host because the XSS payload is executed within the context for the application’s WebView.
The server reacts with A json that is vast the users’ id plus the verification token as well:
Steal data function:
An HTTP is created by the function request to https: //www. OkCupid.com: 443/graphql endpoint.
In line with the information exfiltrated within the function that is steal_token the demand is being delivered utilizing the verification token as well as the user’s id.
The host responds with all the current information regarding the victim’s profile, including e-mail, sexual orientation, height, household status, etc.
Forward information to attacker function:
The event produces a POST request to your attacker’s host containing all the details retrieved in the function that is previous (steal_token and steal_data functions).
The screenshot that is following an HTTP POST demand provided for the attacker’s host. The demand human body contains all the victim’s information that is sensitive
Performing actions on behalf of the target can also be possible as a result of exfiltration associated with the victim’s verification token additionally the users’ id. These details can be used into the harmful JavaScript rule (just like used in the steal_data function).
An attacker can execute actions such as forward messages and alter profile data because of the information exfiltrated within the function that is steal_token
- Authentication token, oauthAccessToken, can be used within the authorization header (bearer value).
- Consumer id, userId, is added as needed.
Note: An attacker cannot perform complete account takeover considering that the snacks are protected with HTTPOnly.
The data exfiltrated within the function that is steal_token
- Authentication token, oauthAccessToken, is employed within the authorization header (bearer value).
- Consumer id, userId, is added as needed.
Note: An attacker cannot perform account that is full considering that the snacks are protected with HTTPOnly.
Internet System Vulnerabilities Mis-configured Cross-Origin Site Sharing Policy Contributes To Fragile Data Publicity
For the duration of the research, we’ve unearthed that the CORS policy regarding the API server api. OkCupid.com just isn’t configured correctly and any beginning can deliver demands into the server and read its responses that are. The after demand shows a request delivered the API host through the beginning https: //OkCupidmeethehacker.com:
The server will not precisely validate the foundation and reacts utilizing the required information. Furthermore, the server reaction contains Access-Control-Allow-Origin: https: //OkCupidmeethehacker.com and Access-Control-Allow-Credentials: real headers:
At this point on, we understood that individuals can deliver requests into the API server from our domain (OkCupidmeethehacker.com) without having to be obstructed by the CORS policy.
The moment a victim is authenticated on OkCupid browsing and application to the attacker’s internet application (https: //OkCupidmeethehacker.com), an HTTP GET demand is delivered to https: //api. OkCupid.com/1/native/bootstrap containing the victim’s snacks. The server’s reaction contains a vast json, containing the victim’s verification token (oauth_accesstoken) additionally the victim’s user_id.
We’re able to find a lot more useful information in the bootstrap API endpoint – sensitive and painful API endpoints when you look at the API host:
The screenshot that is following sensitive and painful PII data exfiltration from the /profile/ API endpoint, making use of the victim’s user_id and also the access_token:
The screenshot that is following exfiltration associated with the victim’s communications through the /1/messages/ API endpoint, utilizing the victim’s user_id while the access_token: