Android dating app flaw could have opened the door to phishing attacks

Researchers identify security issues in Android app which could be exploited with a simple trick.
Written by Danny Palmer, Senior Writer

Security vulnerabilities discovered in the Android version of a popular online dating application could allow hackers to access usernames, passwords and personal information, according to security researchers.

The flaws in the Android version of the OKCupid dating app — which the Google Play Store lists as having over 10 million downloads — were discovered by researchers at cyber security firm Checkmarx. The researchers have previously disclosed exploits that could be abused by hackers in another dating app.

The researchers found that the WebView built-in browser contained vulnerabilities which could be exploited by attackers.

While most links in the app will open in the user's browser of choice, researchers found it was possible to mimic certain links that open within the application.

"One of these types of links was very easy to mimic and an attacker with even basic skills would be able to do this and convince OKCupid it's a safe link," Erez Yalon, head of application security research at Checkmarx told ZDNet.

Using this, researchers found they could create a fake version of the OKCupid login page and, using a fake profile, use the app's messaging service to conduct a phishing attack that invites the targeted users to click on the link

Users would need to enter their login details to see the contents of the message, handing their credentials to the attacker. And because the internal link doesn't display a URL, the user would have no indication that they'd logged into a phony version of the application.

SEE: 17 tips for protecting Windows computers and Macs from ransomware (free PDF)

With the username and password of the victim stolen, the attacker could login to their account and see all of the information on their profile, potentially personally identifying users. Given the intimate nature of dating applications, that could include information the users wouldn't want public.

"We could see not only the name and password of the user and what messages they send, but everything: we can follow their geographic location, what relationship they're looking for, sexual preferences — whatever OKCupid has on you, the attacker could get on you," said Yalon.

They found it was also possible for an attacker to combine crafting phishing links with API and JavaScript functions that had been inadvertently left exposed to users. By doing this, it's possible to remove encryption and downgrade the connection from HTTPS to HTTP — and that allowed for a man-in-the-middle attack.

By doing this, the attacker could see everything the user was doing, impersonate the victim, change messages, and even track the geographical location of the victim. 

The security company disclosed the findings to OKCupid owners Match Group in November last year and an update was rolled out to close the vulnerabilities shortly afterwards. Yalon praised Match Group for being "very responsive".

An OKCupid spokesperson told ZDNet: "Checkmarx alerted us of a security vulnerability in the Android app, which we patched and resolved the issue. We also checked that the issue didn't exist on mobile and iOS as well,"

Checkmarx stress that no real users were exploited as part of their research and while it isn't thought that the attack has been used in the wild, Yalon pointed out "we can't really tell, because of the way it's hidden so well."


Editorial standards