Broken hearts: OkCupid vulnerability exposes users credentials to hackers

OkCupid has been involved in some cybersecurity dustups lately, and they have left seekers of romantic connection at serious risk for hacking. The most recent, which is just in time for Valentine’s Day, is a proof-of-concept attack uncovered by researchers at the Israel-based Checkmarx. The research is being disclosed to various news outlets that focus on InfoSec, and much of my information about this proof-of-concept attack comes from a report done by Kaspersky Lab’s Threatpost (a report that includes an interview with a researcher from Checkmarx).

The flaw in question, if exploited properly, could allow a total invasion of a victim’s application with credentials being exposed or man-in-the-middle attacks taking place. The vulnerability, which does not have a CVSS score, results from OkCupid’s “Webview” reading any URL containing the string, “/l/”, and passing it as a MagicLink. What this means is that the link does not redirect outside of the application, and is opened instead within the hybrid Webview of OkCupid’s Android application.

In an interview with Threatpost, head researcher Erez Yalon elaborated on the flaw:

Users are used to somewhat suspecting links that arrive by email or messaging apps, but there is false confidence in links that are sent as internal messages in apps... Awareness should be raised toward that kind of attack. Unfortunately, in this case, the attack would be very hard to identify by an unsuspecting user, so the responsibility of protection is on the vendor.

In the attack we crafted, the web page simulates a user login page with the OkCupid look and feel, inside the OkCupid application. The user is tricked into providing his credentials; he has no reason to suspect that it is not a legitimate request. These credentials are then sent to the attacker.

With this elevated control, the attacker can now impersonate the victim, monitor the app’s usage, read all messages and even track the victim’s geographic location.”

Since the OkCupid vulnerability was first reported, the company created an update that should be implemented as soon as possible. It is important to state that OkCupid is just one of many dating applications attacked by black hats, and because of this fact, using caution when navigating these platforms is advisable.

Or, you know, maybe just try dating the old-fashioned way?

Featured image: Pixabay

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Cryptojacking: Don't let your system perform for someone else

In most cyberattacks, hackers want you to know you’ve been compromised. But in cryptojacking, hackers want you to live in…

15 hours ago

System feeling down? Architect your enterprise apps for high availability

Businesses want to improve uptime, and optimizing every part of their technology stack for high availability is a significant step…

17 hours ago

10 hacking stats every business leader and IT pro must know

Cybercrime is bad and getting worse. Yes, these 10 hacking stats will scare you, but knowing about them can help…

19 hours ago

Disaster recovery solutions in a cloud-centric world

Your data is precious — but it is also precarious. Finding a trustworthy and sustainable cloud disaster recovery service is…

21 hours ago

Forbes hit by Magecart payment card skimming attack

The cybercriminals behind the Magecart payment card skimming hacks are at it again, and this time the venerable publication Forbes…

2 days ago

Top 10 IT infrastructure certifications that can supercharge your career

Certifications can be a career-booster for IT pros. These IT infrastructure certifications can ensure your success in a hot and…

2 days ago