This week Check Point Research published some research about dating website, OkCupid.

While Tinder is usually the app associated with dating these days, OkCupid still does well for itself with a reported 50 million members, 5 million of which are active.

But today is not about singing the praises of OkCupid. Rather, we bring you some concerning news about security vulnerabilities in the website discovered by Check Point Research.

“As our researchers have uncovered vulnerabilities in other popular social media platforms and apps, we decided to look into the OkCupid app and see if we could find anything that matched our interests. And we found several things that led us into a deeper relationship (purely professional, of course),” wrote Check Point Research researchers, Alon Boxiner and Eran Vaknin.

Through its work, Check Point Research found several vulnerabilities that gave an attacker access to a myriad user information.

This included the ability to:

  • Expose a user’s data stored on OkCupid
  • Perform actions on behalf of a victim
  • Steal a user’s profile, data, preferences and characteristics
  • Steal authentication tokens, user IDs and other sensitive information including email addresses
  • Send data to an attackers server.

This was all discovered upon reverse engineering the OkCupid Android app.

“During the reversing process, we discovered that the application is opening a WebView (and enables JavaScript to execute in the context of the WebView window) and loads remote URLs such as https://OkCupid.com, https://www.OkCupid.com, https://OkCupid.onelink.me and more,” said the researchers.

With this in mind Check Point began to see how far it could push this and the answer is, very far.

The OkCupid app reportedly made use of deep links which make it possible to invoke intents on the app with a browser link. This was made easier thanks to the app listening for URL schemas such as https://OkCupid.com or OkCupid://.

“An attacker can send a custom link that contains the schemas mentioned above. Since the custom link will contain the ‘section’ parameter, the mobile application will open a webview (browser) window – OkCupid mobile application. Any request will be sent with the users’ cookies,” said Check Point Research.

Adding to the problems, the researchers found that the OkCupid website was vulnerable to a Cross Site Scripting (XSS) attack.

We urge you to take a look at the research located here. It is both scary and fascinating to see just how easy it would’ve been to attack a user.

The good news is that Check Point Research alerted OkCupid to these vulnerabilities and the vulnerabilities have been addressed.

“Not a single user was impacted by the potential vulnerability on OkCupid, and we were able to fix it within 48 hours. We’re grateful to partners like Checkpoint who with OkCupid, put the safety and privacy of our users first,” OkCupid said in a statement.

But Check Point Research has raised a very valid point with this incident.

Dating websites and apps have access to an incredible amount of data, data that is often used in the background to find your perfect match.

In a criminal’s hands, that data could be incredibly dangerous and we are now curious about how well other popular dating websites and apps take their security.

“The research presented here shows the risks associated with one of the longest-established and most popular apps in its sector. The dire need for privacy and data security becomes far more crucial when so much private and intimate information being stored, managed and analysed in an app. The app and platform was created to bring people together, but of course where people go, criminals will follow, looking for easy pickings,” concludes Check Point Research.

[Source – Check Point Research][Image – Supplied]