No login hookup sites.Looking at no cost online dating sites without any join or hidden charges?
April 1, 2021

Adding Colombian Mail Order Brides

April 1, 2021
Show all

Hacker, 22, seeks LTR with important computer data: weaknesses available on popular OkCupid relationship application

Hacker, 22, seeks LTR with important computer data: weaknesses available on popular OkCupid relationship application

No Daters that is actual Harmed This Workout

Analysis by Alon Boxiner, Eran Vaknin

With more than 50 million users that are registered its launch, plus the bulk aged between 25 and 34, OkCupid the most popular dating platforms globally. Conceived whenever four buddies from Harvard created initial free online dating service, it claims that more than 91 million connections are formulated through it annually, 50K times made every week plus it became the very first major dating internet site to produce a mobile application.

Dating apps enable a comfy, available and connection that is immediate other people utilising the software. By sharing individual choices in every area, and using the app’s algorithm that is sophisticated it gathers users to like-minded individuals who can straight away begin interacting via instant texting.

To produce every one of these connections, OkCupid develops personal pages for many its users, so that it will make the most readily useful match, or matches, centered on each user’s valuable information that is personal.

Needless to say, these step-by-step individual pages are not merely of great interest to possible love matches. They’re also extremely prized by code hackers, as they’re the ’gold standard’ of https://datingrating.net/vietnamcupid-review data either to be used in targeted assaults, or even for attempting to sell on with other hacking groups, while they permit attack tries to be extremely convincing to naive objectives.

As our scientists have actually uncovered weaknesses in other popular social networking platforms and apps, we chose to research the app that is okCupid see when we may find something that matched our passions. And we also discovered a number of things that led us in to much much deeper relationship (solely expert, needless to say). OkCupidThe weaknesses we discovered and possess described in this extensive research might have permitted attackers to:

  • Expose users’ sensitive data saved from the software.
  • Perform actions with respect to the target.
  • Steals users’ profile and personal data, choices and traits.
  • Steals users’ authentication token, users’ IDs, as well as other delicate information such as e-mail details.
  • Forward the info collected in to the attacker’s host.

Always check Point Research informed OkCupid developers in regards to the weaknesses exposed in this research and an answer ended up being responsibly implemented to make certain its users can properly carry on making use of the OkCupid software.

OkCupid added: “Not an user that is single relying on the possibility vulnerability on OkCupid, and now we could actually correct it within 48 hours. We’re grateful to partners like Checkpoint who with OkCupid, place the security and privacy of our users first.”

Cellphone Platform

We started our research with some reverse engineering the OkCupid Android os mobile phone application (v40.3.1 on Android os 6.0.1). Through the reversing procedure, we unearthed that the application is starting a WebView (and allows JavaScript to perform within the context associated with WebView screen) and loads remote URLs such as and much more.

Deep links allow attackers’ intents

While reverse engineering the OkCupid application, we discovered it has “deep links” functionality, to be able to invoke intents within the software with a web browser website link.

The intents that the application form listens to would be the schema, customized schema and many more schemas:

An assailant can send a custom website website link which has the schemas mentioned above. The mobile application will open a webview (browser) window – OkCupid mobile application since the custom link will contain the“section” parameter. Any demand will be delivered aided by the users’ snacks.

For demonstration purposes, we utilized the following link:

The application that is mobile a webview ( web web web browser) window with JavaScript enabled.

Reflected Scripting that is cross-Site(

As our research proceeded, we now have discovered that OkCupid primary domain, is at risk of an XSS assault.

The injection point of this XSS attack had been based in the individual settings functionality.

Retrieving the consumer profile settings is manufactured utilizing an HTTP GET demand provided for the path that is following

The part parameter is injectable and a hacker could apply it so that you can inject harmful JavaScript rule.

For the true purpose of demonstration, we now have popped a clear alert screen. Note: even as we noted above, the mobile application is starting a WebView screen so that the XSS is performed into the context of an authenticated individual utilising the OkCupid application that is mobile.