According to a report shared with The Hacker News, researchers from Check Point found that the flaws in OkCupid's Android and web applications could allow the theft of users' authentication tokens, users IDs, and other sensitive information such as email addresses, preferences, sexual orientation, and other private data.
After Check Point researchers responsibly shared their findings with OkCupid, the Match Group-owned company fixed the issues, stating, "not a single user was impacted by the potential vulnerability."
The Chain of Flaws
The flaws were identified as part of reverse engineering of OkCupid's Android app version 40.3.1, which was released on April 29 earlier this year. Since then, there have been 15 updates to the app with the most recent version (43.3.2) hitting Google Play Store yesterday.
"Users' cookies are sent to the [OkCupid] server since the XSS payload is executed in the context of the application's WebView," the researchers said, outlining their method to capture the token information. "The server responds with a vast JSON containing the users' id and the authentication token."
Once in possession of the user ID and the token, an adversary can send a request to the "https://www.OkCupid.com:443/graphql" endpoint to fetch all the information associated with the victim's profile (email address, sexual orientation, height, family status, and other personal preferences) as well as carry out actions on behalf of the compromised individual, such as send messages and change profile data.
However, a full account hijack is not possible as the cookies are protected with HTTPOnly, mitigating the risk of a client-side script accessing the protected cookie.
Lastly, an oversight in the Cross-Origin Resource Sharing (CORS) policy of the API server could have permitted an attacker to craft requests from any origin (e.g. "https://okcupidmeethehacker.com") in order to get hold of the user ID and authentication token, and subsequently, use that information to extract profile details and messages using the API's "profile" and "messages" endpoints.
Remember Ashley Madison Breach and Blackmail Threats?
Although the vulnerabilities were not exploited in the wild, the episode is yet another reminder of how bad actors could have taken advantage of the flaws to threaten victims with black and extortion.
After Ashley Madison, an adult dating service catering to married individuals seeking partners for affairs was hacked in 2015 and information about its 32 million users was posted to the dark web, it led to a rise in phishing and sextortion campaigns, with blackmailers reportedly sending personalized emails to the users, threatening to reveal their membership to friends and family unless they pay money.
"The dire need for privacy and data security becomes far more crucial when so much private and intimate information is being stored, managed and analyzed in an app," the researchers concluded. "The app and platform was created to bring people together, but of course where people go, criminals will follow, looking for easy pickings."