OKCupid Fixed Serious Security Vulnerability After Alert

The popular online OKCupid dating service left the private details of its more than 50 million users in 110 countries vulnerable to hacking, reports Check Point this morning in a report.

After discovering the potential for malicious actions, Check Point presented its findings to OKCupid, which fixed the security flaws in its servers within 48 hours of being notified. The dating service said not a single user was impacted by the potential vulnerability, which could have allowed a threat actor to masquerade as a user.

At risk were full profile details, private messages, sexual orientation, personal addresses, and all submitted answers to OKCupid’s profiling questions.

Malicious actions, such as manipulating user profile data and sending messages, on behalf of a victim, without that user’s knowledge, could have taken place, according to a Check Point report.

To carry out the attack, a threat actor could have executed malicious code into OkCupid web and mobile pages by generating a single, malicious link to send users. Check Point researchers outlined the attack method in three steps:

  • Threat actor generates a link containing a payload that initiates the attack.
  • Threat actor sends the link to the victim, or publishes it in a public forum.
  • Once the victim touches or clicks the link, the malicious code is executed, resulting in data exfiltration.

Check Point reverse engineered the OkCupid Android Mobile application (v40.3.1 on Android 6.0.1) and discovered that the application opened a WebView (and enables JavaScript to execute in the context of the WebView window) and loaded remote URLs.

While reverse engineering the OkCupid application, Check Point found a “deep links” functionality, making it possible to invoke intents in the app via a browser link. 

As a result, an attacker could masquerade as an OkCupid user and carry out any actions that the user is able to perform, and to access any of the user’s data.

A similar attack five years ago on the Ashley Madison dating service for married people resurfaced this past January when app users were hit with ransomware demands in which their affairs would be revealed to spouses and others they know if the didn’t pay.

Oded Vanunu, Check Point’s head of products vulnerability research, said the OKCupid investigation raises serious questions about the security of all dating apps.

“The fundamental questions being: How safe are my intimate details on the application? How easily can someone I don’t know access my most private photos, messages and details?” Vanunu asked rhetorically.

Check Point said its work into OKCupid has sparked further investigation into other dating applications.

Dating service popularity has risen since the pandemic hit in mid-March when the lockdown spurred social distancing. OkCupid, in fact, has seen a 30 percent increase in messages, 20 percent increase in conversations and a 10 percent increase in matches worldwide.   

OkCupid stated once the security problem was fixed, a solution was responsibly deployed to ensure its users can safely continue using the OkCupid app.