Hacker, 22, seeks LTR with your computer data: weaknesses available on popular dating app that is okCupid

Hacker, 22, seeks LTR with your computer data: weaknesses available on popular dating app that is okCupid

No Real Daters Harmed in This Workout

Analysis by Alon Boxiner, Eran Vaknin

With more than 50 million users that are registered its launch, and also the bulk aged between 25 and 34, OkCupid the most popular dating platforms globally. Conceived in 2004 whenever four buddies from Harvard created initial free online dating site, it claims that more than 91 million connections are made through it annually, 50K times made every week as well as in 2012 it became the initial major dating website to produce a mobile application.

Dating apps enable an appropriate, available and connection that is immediate others utilizing the application. By sharing personal choices in just about any area, and using the app’s advanced algorithm, it gathers users to like-minded individuals who can instantly start interacting via instant texting.

To produce each one of these connections, OkCupid develops personal pages for several its users, so that it could make the most useful match, or matches, according to each user’s valuable private information.

Needless to say, these step-by-step individual profiles are not just of great interest to love that is potential. They’re also highly prized by code hackers, as they’re the ’gold standard’ of data either to be used in targeted attacks, or even for attempting to sell on with other hacking groups, while they permit attack tries to be very convincing to naive goals.

As our researchers have uncovered weaknesses various other popular social networking platforms and apps, we made a decision to research the OkCupid software and see whenever we may find something that matched our passions. And we also discovered things that are several led us as a much deeper relationship (solely expert, needless to say). OkCupidThe vulnerabilities we discovered and have now described in this extensive research may have permitted attackers to:

  • Expose users’ sensitive data kept from the app.
  • Perform actions with respect to the victim.
  • Steals users’ profile and data that are private choices and traits.
  • Steals users’ authentication token, users’ IDs, along with other information that is sensitive as email details.
  • Send the info gathered in to the attacker’s host.

Check always Point Research informed OkCupid developers in regards to the weaknesses exposed in this research and a remedy ended up being responsibly implemented to make sure its users can properly carry on making use of the OkCupid software.

OkCupid added: “Not a single individual had been relying on the prospective vulnerability on OkCupid, and we also had the ability to correct it within 48 hours. We’re grateful to lovers like Checkpoint whom with OkCupid, place the privacy and safety of our users first. ”

Mobile Phone Platform

We started some reverse engineering to our research the OkCupid Android os mobile phone application (v40.3.1 on Android 6.0.1). Throughout the reversing procedure, we unearthed that the application form is starting a WebView (and allows JavaScript to perform into the context for the WebView screen) and loads remote URLs such as for instance https: //OkCupid.com, https: //www. OkCupid.com, Https. Onelink.me that is: //OkCupid and much more.

Deep links allow attackers’ intents

While reverse engineering the OkCupid application, we found so it has “deep links” functionality, to be able to invoke intents into the application with a browser website link.

The intents that the application form listens to are the “https: //OkCupid.com” schema, “OkCupid: //” custom schema and many more schemas:

An attacker can deliver a custom website website link which contains the schemas mentioned above. Considering that the customized website link will retain the “section” parameter, the mobile application will open a webview (web browser) screen – OkCupid mobile application. Any request will be delivered using the users’ snacks.

For demonstration purposes, we utilized the link that is following

The mobile application starts a webview ( web web browser) window with JavaScript enabled.

Reflected Cross-Site Scripting (XSS)

As our research proceeded, we’ve discovered that OkCupid primary domain, https: //www. OkCupid.com, is susceptible to an XSS attack.

The injection point associated with XSS assault had been based in the individual settings functionality.

Retrieving the consumer profile settings is manufactured having an HTTP GET demand sent to the path that is following

The area parameter is injectable and a hacker could apply it so that you can inject harmful JavaScript code.

For the intended purpose of demonstration, we now have popped a clear alert screen. Note: even as we noted above, the mobile application is starting a WebView screen therefore the XSS is executed into the context of a authenticated user utilising the OkCupid application that is mobile.

adventist singles

Fragile Data visibility & Performing actions with respect to the target

Up to this time, we’re able to launch the OkCupid application that is mobile a deep website link, OkCupid: //, containing a harmful JavaScript code within the section parameter. The after screenshot shows the ultimate XSS payload which loads jQuery and then loads JavaScript rule from the attacker’s host: (take note top of the section provides the XSS payload plus the base section is the same payload encoded with URL encoding):

The screenshot that is following an HTTP GET demand containing the ultimate XSS payload (part parameter):

The host replicates the payload sent earlier when you look at the section parameter while the injected code that is javaScript performed when you look at the context for the WebView.

As previously mentioned before, the last XSS payload loads a script file through the attacker’s host. The loaded code that is javaScript be utilized for exfiltration and account contains 3 functions:

  1. Steal_token – Steals users’ authentication token, oauthAccessToken, additionally the users’ id, userid. Users’ sensitive information (PII), such as for example current email address, is exfiltrated also.
  2. Steal_data – Steals users’ profile and data that are private preferences, users’ characteristics ( ag e.g. Responses filled during registration), and much more.
  3. Send_data_to_attacker – send the data gathered in functions 1 and 2 to your attacker’s host.

Steal_token function:

The event produces A api call to the host. Users cookies that are delivered to the server considering that the XSS payload is performed within the context for the application’s WebView.

The host reacts having A json that is vast the users’ id additionally the authentication token too:

Steal data function:

The big event produces an HTTP request to https: //www. OkCupid.com: 443/graphql endpoint.

In line with the information exfiltrated within the steal_token function, the request will be delivered with all the verification token as well as the user’s id.

The host reacts with the information regarding the victim’s profile, including e-mail, intimate orientation, height, household status, etc.

Send information to attacker function:

The event produces a POST request towards the attacker’s host containing all the details retrieved in the past function calls (steal_token and steal_data functions).

The screenshot that is following an HTTP POST request sent to the attacker’s server. The request human body contains all the victim’s sensitive information:

Performing actions on behalf of the target can also be feasible because of the exfiltration associated with the victim’s authentication token and also the users’ id. These details is employed into the harmful JavaScript rule (just like used in the steal_data function).

An attacker can execute actions such as forward messages and alter profile data as a result of the information exfiltrated within the function that is steal_token

  1. Authentication token, oauthAccessToken, can be used within the authorization header (bearer value).
  2. Consumer id, userId, is added as required.

Note: An attacker cannot perform account that is full because the snacks are protected with HTTPOnly.

The info exfiltrated into the function that is steal_token

  1. Authentication token, oauthAccessToken, can be used within the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform full account takeover because the snacks are protected with HTTPOnly.

Online System Vulnerabilities Mis-configured Cross-Origin Resource Sharing Policy Results In Fragile Data Publicity

In the course of the study, we now have discovered that the CORS policy of this API host api. OkCupid.com isn’t configured correctly and any beginning can deliver needs towards the host and read its’ responses. The after demand shows a demand sent the API host through the beginning https: //OkCupidmeethehacker.com:

The host doesn’t validate the origin properly and responds utilizing the required information. More over, the server reaction contains Access-Control-Allow-Origin: https: //OkCupidmeethehacker.com and Access-Control-Allow-Credentials: real headers:

Only at that point on, we discovered that individuals can deliver needs to your API host from our domain (OkCupidmeethehacker.com) without having to be blocked by the CORS policy.

As soon as a victim is authenticated on OkCupid application and browsing towards the attacker’s internet application (https: //OkCupidmeethehacker.com), an HTTP GET demand is provided for https: //api. OkCupid.com/1/native/bootstrap containing the victim’s snacks. The server’s response has A json that is vast containing the victim’s authentication token (oauth_accesstoken) and also the victim’s user_id.

We could find much more helpful information in the bootstrap API endpoint – sensitive API endpoints within the API host:

The screenshot that is following painful and sensitive PII data exfiltration from the /profile/ API endpoint, utilizing the victim’s user_id plus the access_token:

The screenshot that is following exfiltration for the victim’s messages through the /1/messages/ API endpoint, utilising the victim’s user_id therefore the access_token:

Dodano: 28 September 2020
Autor:
Kosmetyka artykuł PDF
Drukuj
Wstaw na stronę, forum, blog

Leave a Reply

Your email address will not be published. Required fields are marked *