OkCupid has been involved in some cybersecurity dustups lately, and they have left seekers of romantic connection at serious risk for hacking. The most recent, which is just in time for Valentine’s Day, is a proof-of-concept attack uncovered by researchers at the Israel-based Checkmarx. The research is being disclosed to various news outlets that focus on InfoSec, and much of my information about this proof-of-concept attack comes from a report done by Kaspersky Lab’s Threatpost (a report that includes an interview with a researcher from Checkmarx).
The flaw in question, if exploited properly, could allow a total invasion of a victim’s application with credentials being exposed or man-in-the-middle attacks taking place. The vulnerability, which does not have a CVSS score, results from OkCupid’s “Webview” reading any URL containing the string, “/l/”, and passing it as a MagicLink. What this means is that the link does not redirect outside of the application, and is opened instead within the hybrid Webview of OkCupid’s Android application.
In an interview with Threatpost, head researcher Erez Yalon elaborated on the flaw:
Users are used to somewhat suspecting links that arrive by email or messaging apps, but there is false confidence in links that are sent as internal messages in apps… Awareness should be raised toward that kind of attack. Unfortunately, in this case, the attack would be very hard to identify by an unsuspecting user, so the responsibility of protection is on the vendor.
In the attack we crafted, the web page simulates a user login page with the OkCupid look and feel, inside the OkCupid application. The user is tricked into providing his credentials; he has no reason to suspect that it is not a legitimate request. These credentials are then sent to the attacker.
With this elevated control, the attacker can now impersonate the victim, monitor the app’s usage, read all messages and even track the victim’s geographic location.”
Since the OkCupid vulnerability was first reported, the company created an update that should be implemented as soon as possible. It is important to state that OkCupid is just one of many dating applications attacked by black hats, and because of this fact, using caution when navigating these platforms is advisable.
Or, you know, maybe just try dating the old-fashioned way?
Featured image: Pixabay