Broken hearts: OkCupid vulnerability exposes users credentials to hackers

OkCupid has been involved in some cybersecurity dustups lately, and they have left seekers of romantic connection at serious risk for hacking. The most recent, which is just in time for Valentine’s Day, is a proof-of-concept attack uncovered by researchers at the Israel-based Checkmarx. The research is being disclosed to various news outlets that focus on InfoSec, and much of my information about this proof-of-concept attack comes from a report done by Kaspersky Lab’s Threatpost (a report that includes an interview with a researcher from Checkmarx).

The flaw in question, if exploited properly, could allow a total invasion of a victim’s application with credentials being exposed or man-in-the-middle attacks taking place. The vulnerability, which does not have a CVSS score, results from OkCupid’s “Webview” reading any URL containing the string, “/l/”, and passing it as a MagicLink. What this means is that the link does not redirect outside of the application, and is opened instead within the hybrid Webview of OkCupid’s Android application.

In an interview with Threatpost, head researcher Erez Yalon elaborated on the flaw:

Users are used to somewhat suspecting links that arrive by email or messaging apps, but there is false confidence in links that are sent as internal messages in apps... Awareness should be raised toward that kind of attack. Unfortunately, in this case, the attack would be very hard to identify by an unsuspecting user, so the responsibility of protection is on the vendor.

In the attack we crafted, the web page simulates a user login page with the OkCupid look and feel, inside the OkCupid application. The user is tricked into providing his credentials; he has no reason to suspect that it is not a legitimate request. These credentials are then sent to the attacker.

With this elevated control, the attacker can now impersonate the victim, monitor the app’s usage, read all messages and even track the victim’s geographic location.”

Since the OkCupid vulnerability was first reported, the company created an update that should be implemented as soon as possible. It is important to state that OkCupid is just one of many dating applications attacked by black hats, and because of this fact, using caution when navigating these platforms is advisable.

Or, you know, maybe just try dating the old-fashioned way?

Featured image: Pixabay

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

Making an IT investment in your SMB? This definitive guide is for you

Planning to make an IT investment in your small or medium-sized business? It is imperative that you spend your money…

2 days ago

Kubernetes service mesh market is a lot more than Istio

Adopting a service mesh is no longer a trend, it’s a necessity. A healthy sign of this is that Istio…

2 days ago

10 biggest 2018 data breaches — and what they mean for 2019

Ransomware and malware attacks hit big victims last year. This look at the biggest 2018 data breaches will keep us…

2 days ago

Xtreme Podcast: Is there still an ‘I’ in innovation?

In this week’s Xtreme Podcast: Where are the next tech innovations coming from? Also, business taglines can be funny; cyber…

2 days ago

New System Center 2019 focuses on datacenters, security, hybrid cloud

The brand-new Microsoft System Center 2019 allows users to deploy and manage Windows Server 2019 and is perfect for those…

3 days ago

Aluminum giant Norsk Hydro experiences serious ransomware attack

Aluminum producing giant Norsk Hydro is dealing with major disruptions in production and falling share price in the wake of…

3 days ago