Hacker, 22, seeks LTR with your data: weaknesses available on popular dating app that is okCupid

Hacker, 22, seeks LTR with your data: weaknesses available on popular dating app that is okCupid | STEC4.com - โรงเรียนออนไลน์

No Real Daters Harmed in This Workout

Analysis by Alon Boxiner, Eran Vaknin

With more than 50 million users that are registered its launch, therefore the majority aged between 25 and 34, OkCupid the most popular dating platforms globally. Conceived in 2004 when four friends from Harvard created initial free online dating service, it claims that more than 91 million connections are created it became the first major dating site to create a mobile app through it annually, 50K dates made every week and in 2012.

Dating apps enable a comfy, accessible and instant experience of other people with the application. By sharing personal choices in almost any area, and using the app’s advanced algorithm, it gathers users to like-minded individuals who can instantly begin interacting via instant messaging.

To produce all those connections, OkCupid develops personal pages for all its users, so that it could make the match that is best, or matches, predicated on each user’s valuable information that is personal.

Needless to say, these detail by detail individual profiles are not only of great interest to love that is potential. They’re also extremely prized by code hackers, as they’re the ’gold standard’ of data either to be used in targeted assaults, or even for offering on with other hacking groups, because they enable assault attempts to be extremely convincing to unsuspecting objectives.

As our scientists have actually uncovered weaknesses various other popular social media marketing platforms and apps, we chose to research the app that is okCupid see when we can find something that matched our passions. So we found unique that led us into a much much deeper relationship (solely expert, needless to say). OkCupidThe weaknesses we found and now have described in this extensive research may have permitted attackers to:

  • Expose users’ sensitive data stored regarding the application.
  • Perform actions with respect to the target.
  • Steals users’ profile and personal data, choices and traits.
  • Steals users’ authentication token, users’ IDs, as well as other information that is sensitive as e-mail details.
  • Forward the info gathered in to the attacker’s host.

Check always Point Research informed OkCupid developers in regards to the vulnerabilities exposed in this research and a remedy ended up being responsibly implemented to make certain its users can properly keep using the app that is okCupid.

OkCupid added: “Not a solitary individual had been influenced by the possibility vulnerability on OkCupid, and then we could actually repair it within 48 hours. We’re grateful to lovers like Checkpoint whom with OkCupid, place the privacy and safety of y our users first. ”

Mobile Phone Platform

We began our research with some reverse engineering the OkCupid Android os mobile phone application (v40.3.1 on Android 6.0.1). Throughout the reversing process, we unearthed that the application is starting a WebView (and enables JavaScript to perform within the context for the window that is webView and loads remote URLs such as for example https: //OkCupid.com, https: //www. OkCupid.com, Https. Onelink.me that is: //OkCupid and more.

Deep links help attackers’ Hacker, 22, seeks LTR with your data: weaknesses available on popular dating app that is okCupid Amanda Bynes 250 intents

While reverse engineering the OkCupid application, we discovered it possible to invoke intents in the app via a browser link that it has “deep links” functionality, making.

The intents that the application form listens to would be the “https: //OkCupid.com” schema, “OkCupid: //” custom schema and several more schemas:

A custom can be sent by an attacker website link which has the schemas mentioned above. Considering that the customized website link will support the “section” parameter, the mobile application will start a webview (web browser) screen – OkCupid mobile application. Any demand will be delivered utilizing the users’ snacks.

For demonstration purposes, we utilized the following link:

The mobile application starts a webview ( web browser) window with JavaScript enabled.

Reflected Cross-Site Scripting (XSS)

As our research proceeded, we have discovered that OkCupid primary domain, https: //www. OkCupid.com, is at risk of an XSS assault.

The injection point of this XSS assault had been based in the individual settings functionality.

Retrieving the consumer profile settings is manufactured utilizing an HTTP GET request provided for the following path:

The area parameter is injectable and a hacker could apply it to be able to inject malicious JavaScript rule.

For the true purpose of demonstration, we have popped a clear alert window. Note: As we noted above, the mobile application is starting a WebView window and so the XSS is performed within the context of a authenticated individual utilizing the OkCupid application that is mobile.

Sensitive Data visibility & Performing actions with respect to the target

As much as this aspect, we’re able to launch the OkCupid application that is mobile a deep website link, OkCupid: //, containing a harmful JavaScript rule when you look at the area parameter. The screenshot that is following the ultimate XSS payload which loads jQuery and then lots JavaScript code through the attacker’s server: (take note the top of part offers the XSS payload and also the base section is the identical payload encoded with URL encoding):

The following screenshot shows an HTTP GET demand containing the last XSS payload (part parameter):

The host replicates the payload sent previous when you look at the area parameter as well as the injected JavaScript code is performed when you look at the context for the WebView.

A script file from the attacker’s server as mentioned before, the final XSS payload loads. The loaded code that is javaScript be properly used for exfiltration and account contains 3 functions:

  1. Steal_token – Steals users’ authentication token, oauthAccessToken, therefore the users’ id, userid. Users’ sensitive information (PII), such as for instance email, is exfiltrated too.
  2. Steal_data – Steals users’ profile and personal information, choices, users’ characteristics ( e.g. Responses filled during registration), and much more.
  3. Send_data_to_attacker – send the data collected in functions 1 and 2 to your attacker’s host.

Steal_token function:

The function produces A api call to the host. Users’ snacks are delivered to the host because the XSS payload is performed within the context associated with the application’s WebView.

The host reacts by having A json that is vast the users’ id plus the verification token too:

Steal information function:

The event produces an HTTP request to https: //www. OkCupid.com: 443/graphql endpoint.

On the basis of the information exfiltrated into the function that is steal_token the request has been sent utilizing the authentication token as well as the user’s id.

The host reacts with all the current information about the victim’s profile, including e-mail, intimate orientation, height, family members status, etc.

Forward information to attacker function:

The event produces a POST request to your attacker’s host containing all the details retrieved in the function that is previous (steal_token and steal_data functions).

The following screenshot shows an HTTP POST request provided for the attacker’s host. The demand human anatomy contains all the victim’s sensitive and painful information:

Performing actions with respect to the target can also be feasible as a result of exfiltration of this victim’s verification token together with users’ id. These details is employed when you look at the malicious JavaScript rule (in the same way used in the steal_data function).

An assailant can execute actions such as forward messages and alter profile data as a result of the information exfiltrated into the steal_token function:

  1. Authentication token, oauthAccessToken, is employed into the authorization header (bearer value).
  2. User id, userId, is added as needed.

Note: An attacker cannot perform account that is full considering that the snacks are protected with HTTPOnly.

The data exfiltrated when you look at the function that is steal_token

  1. Authentication token, oauthAccessToken, is used into the authorization header (bearer value).
  2. Consumer id, userId, is added as required.

Note: An attacker cannot perform account that is full considering that the snacks are protected with HTTPOnly.

Internet System Vulnerabilities Mis-configured Cross-Origin Resource Sharing Policy Contributes To Fragile Data Publicity

For the duration of the investigation, we now have discovered that the CORS policy of the API host api. OkCupid.com just isn’t configured precisely and any beginning can deliver demands to your server and read its’ reactions. The request that is following a request delivered the API server through the beginning https: //OkCupidmeethehacker.com:

The host will not correctly validate the foundation and reacts aided by the requested information. Furthermore, the host reaction contains Access-Control-Allow-Origin: https: //OkCupidmeethehacker.com and Access-Control-Allow-Credentials: real headers:

As of this point on, we knew that individuals can deliver needs to your API host from our domain (OkCupidmeethehacker.com) without getting obstructed because of the CORS policy.

Once a target is authenticated on OkCupid application and browsing to your attacker’s internet application (https: //OkCupidmeethehacker.com), an HTTP GET request is provided for https: //api. OkCupid.com/1/native/bootstrap containing the victim’s snacks. The server’s reaction contains A json that is vast containing the victim’s verification token (oauth_accesstoken) plus the victim’s user_id.

We could find more helpful information in the bootstrap API endpoint – sensitive and painful API endpoints within the API host:

The screenshot that is following painful and sensitive PII data exfiltration from the /profile/ API endpoint, utilizing the victim’s user_id while the access_token:

The after screenshot shows exfiltration for the victim’s messages through the /1/messages/ API endpoint, utilizing the victim’s user_id as well as the access_token:

Leave A Reply

อีเมลของคุณจะไม่แสดงให้คนอื่นเห็น ช่องข้อมูลจำเป็นถูกทำเครื่องหมาย *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

EnglishThai