OkCupid: Hackers want your data, not a relationship

Researchers discovered a way to steal the personal and sensitive data of users on the popular dating app.
Written by Charlie Osborne, Contributing Writer

Researchers exploring OkCupid for security holes have found a way for hackers to pillage the sensitive data of users. 

OkCupid has catered to over 50 million registered users since its launch. As one of the most popular options out there for dating -- alongside rivals such as Tinder, Plenty of Fish, eHarmony, Match, and Grindr -- the online dating platform is used to organize roughly 50,000 dates per week. 

In a time where the novel coronavirus pandemic and social distancing measures make meeting new people in a bar or other public space more difficult, many of us have turned to online dating and virtual meetups as an alternative. 

See also: Threesome app exposes user data, locations from London to the White House

Dating apps experiencing a surge in users or requests for new features -- such as video chats -- began changing the way their platforms worked, and OkCupid was no exception. The dating platform has experienced a 20% increase in conversations worldwide and a 10% increase in matches since the beginning of lockdowns imposed due to COVID-19.

With an expanding user base, however, there comes additional risk to personal data when security is not up to scratch. 

On Wednesday, Check Point Research disclosed a set of vulnerabilities in OkCupid that could lead to the exposure of sensitive profile data on the OkCupid app, the hijack of user accounts to perform various actions without their permission, and the theft of user authentication tokens, IDs, and email addresses.

The app in question is OkCupid on Android, with version 40.3.1 on Android 6.0.1 becoming the test subject. 

The cybersecurity researchers reverse-engineered the mobile software and discovered "deep link" functionality, which meant that it could be possible for attackers to send custom, malicious links to open the mobile app. 

Reflected Cross-Site Scripting (XSS) attack vectors were also discovered due to coding issues in the app's user settings functionality, which opened up a path for the deployment of JavaScript code. 

CNET: Face masks are thwarting even the best facial recognition algorithms, study finds

Combined, an attacker could send an HTTP GET request and an XSS payload from their own server, of which JavaScript could then be executed via WebView.

If a victim clicks on a crafted link -- potentially sent personally through the app or posted on a public forum -- PII, profile data, user characteristics -- such as those submitted when profiles are created -- preferences, email addresses, IDs, and authentication tokens could all be compromised and exfiltrated to the attacker's command-and-control server (C2). 

As the vulnerabilities could be used to steal IDs and tokens, this could also lead to attackers executing actions on their behalf, such as sending messages. However, a full account takeover is not possible due to existing cookie protections. 

Check Point also uncovered a misconfigured Cross-Origin Resource Sharing (CORS) policy in the API server of api.OkCupid.com, allowing any origin to send requests to the server and to read responses. Further attacks could lead to the filtration of user data from the profile API endpoint. 

TechRepublic: Which workers are your biggest security nightmare? It might not be the people you expect

While the theft of information submitted to a dating app may not seem like such a big deal, the wealth of personal data possibly harvested by attackers could be used in social engineering attempts, leading to far more damaging consequences. 

"The app and platform were created to bring people together, but of course where people go, criminals will follow, looking for easy pickings," the researchers commented. 

Check Point Research informed OkCupid of its findings and the security issues have now been resolved. 

"Not a single user was impacted by the potential vulnerability on OkCupid, and we were able to fix it within 48 hours," the company said. "We're grateful to partners like Checkpoint who with OkCupid, put the safety and privacy of our users first."

In related news, in May, MobiFriends was central to a data leak in which the personal information of 3.6 million users was compromised and posted online. The data dump also included poorly-encrypted passwords. 

ZDNet has reached out to OkCupid with additional queries and will update when we hear back. 

The biggest hacks, data breaches of 2020 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards