Security researchers identified multiple vulnerabilities on the Web and mobile platforms of online dating site OkCupid that could have allowed hackers to steal user private data of users. The data could include full profile details, private messages, sexual orientation, personal addresses, and even all submitted answers to OkCupid’s profiling questions. The team at OkCupid is claimed to have fixed the flaws within 48 hours of receiving their details. It has also stated that the vulnerabilities haven’t impacted any of its users.
Researchers at Check Point Research disclosed the vulnerabilities in OkCupid that could have allowed hackers to gain user data access. The research work took place through the OkCupid Android app version 40.3.1 on Android 6.0.1. Upon reverse engineering the mobile app, the researchers discovered “deep links” functionality that could provide backdoor access to hackers to send malicious links.
While testing the mobile app, the researchers’ team was also able to find the OkCupid primary domain vulnerable to cross-site scripting (XSS) attacks. Both those loopholes could be combined to let a hacker send specially crafted links to users and steal their personal data.
The researchers said that at the time of their testing, they saw that the server responded with all the information regarding the victim’s profile, including email, and family status.
“Performing actions on behalf of the victim is also possible due to the exfiltration of the victim’s authentication token and the users’ ID,” the researchers noted in a blog.
Additionally, Check Point researchers found a misconfigured Cross-Origin Resource Sharing (CROS) policy in an API server of OkCupid. It could allow hackers to even filter user data from the profile API endpoint and let them read victim’s personal conversations.
“Not a single user was impacted by the potential vulnerability on OkCupid, and we were able to fix it within 48 hours,” OkCupid responded to Check Point on its discovery.
Online dating has reached new levels due to the coronavirus outbreak that has brought restrictions in meeting people physically. OkCupid itself has also noticed as much as 20 percent increase in conversations and 10 percent increase in matches globally. However, there are some references showing that people meeting online aren’t that safe due to potential vulnerabilities and growing amounts of data breaches.
In 2020, will WhatsApp get the killer feature that every Indian is waiting for? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.
