IAC/Interactivecorp-owned dating service OkCupid has fixed security flaws in its website and apps that could have allowed hackers to access personal data and private messages of the service’s 50 million users.
The vulnerabilities were found and revealed Wednesday by security researchers at Check Point Software Technologies Ltd. and covered a range of sloppy coding. The vulnerabilities discovered could have allowed attackers to expose personally identifiable information of members, perform actions on behalf of the victim and steal sensitive data belonging to the users, including private messages and sexual orientation.
The researchers detailed a three-step attack method to exploit the vulnerabilities that could have been used by hackers to target users. The attack method starts with creating a malicious link containing a targeted payload, followed by either sending the link to the intended target or publishing the link on a public forum for users to click on. Once a victim clicks on the malicious link, the code is executed, giving the hackers access to the victim’s account.
Having discovered the vulnerabilities, the researchers contacted OkCupid first and the dating service fixed them within 48 hours. OkCupid may not be alone, however, in having the same vulnerabilities. “Our research into OkCupid, which is one of the longest-standing and most popular applications in their sector, has led us to raise some serious questions over the security of dating apps,” the researchers noted.
John Kozyrakis, senior security research engineer at electronic design automation company Synopsys Inc., told SiliconANGLE that an attacker would need to distribute a malicious link to users and users would need to click on it, which normally works only when the user is already logged in.
“In this case, the Android app is configured to automatically open OkCupid-related URLs the user clicks on,” Kozyrakis explained. “As such, if an attacker manages to send specially crafted URLs to mobile users (e.g., via a chat application), then upon clicking these links, the OkCupid app would load the link much like a normal web browser would.”
The interesting thing here, he said, is that the OkCupid app is almost always logged into the OkCupid website and is widely used. “Thus, by using the Android app in the attack workflow, the vulnerable user base is increased compared to just launching this attack in a way that only web-app users are vulnerable,” Kozyrakis said.
Ray Kelly, principal security engineer at application security platform provider WhiteHat Security Inc., noted that mobile app developers often do not realize that their apps can be vulnerable to the same exploits as typical websites.
“This demonstrates the importance of not only testing the mobile app for security vulnerabilities but also any backend or linked web servers with a thorough dynamic application security testing assessment,” Kelly said.
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.