Image: Aladino Gonzalez, Getty Images/iStockphoto

Research from Check Point Software have discovered a number of vulnerabilities in online dating service OK Cupid’s mobile app and website that could allow attackers to not only steal personal data, but take actions on a user’s behalf as well.

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

The vulnerabilities in OKCupid that Check Point discovered allow a potential attacker to do five things:

  • Expose user data stored in the OKCupid mobile app
  • Perform actions on behalf of the victim
  • Steal user profiles, private data, preferences, and personal characteristics
  • Steal user authentication tokens, user IDs, email addresses, and other sensitive account information
  • Send all the exposed data to an attacker’s server

“We demonstrated that users’ private details, messages, and photos could be accessed and manipulated by a hacker, so every developer and user of a dating app should pause to reflect on the levels of security around the intimate details and images that they host and share on these platforms,” said Oded Vanunu, head of products vulnerability research at Check Point.

The anatomy of a cybersecurity bullseye

Check Point researchers used several common exploits to achieve its results, which differed between the OKCupid mobile app and website.

The OKCupid mobile app makes extensive use of deep linking, which involves sending a user directly to an internally linked page without their realizing it. It’s a great way to help users navigate a web app, but it’s easily exploitable.

SEE: SSL Certificate Best Practices Policy (TechRepublic Premium)

In the case of the OKC mobile app, malicious deep links that use OKCupid’s custom schema can be used by an attacker to trick the app into sending the link along with the user’s cookies. Check Point’s testers were able to open a webview browser window inside the app with JavaScript enabled.

The mobile app is also vulnerable to reflected cross-site scripting (XSS) attacks, allowing an attacker to inject its own code into the link that retrieves user profile settings. This serves as the second part of the attack: After opening a webview browser with JavaScript running and injecting XSS code the attacker can move on to loading JavaScript from their own server.

The payload that Check Point built, as mentioned above, was able to steal authentication tokens, user IDs, and personally identifying information like email addresses, profile data, questions answered during registration, site and app preferences, and more.

Those personal details “are not just of interest to potential love matches. They’re also highly prized by hackers, as they’re the ‘gold standard’ of information either for use in targeted attacks, or for selling on to other hacking groups, as they enable attack attempts to be highly convincing to unsuspecting targets,” Check Point said in its report.

Check Point concludes that its research highlights serious risks with using even the most established and popular apps in a market like online dating: Despite having been around for years, OKCupid was still overlooking essential elements of user privacy and security.

“The dire need for privacy and data security becomes far more crucial when so much private and intimate information is being stored, managed, and analyzed in an app,” the report said.

Luckily for OKCupid users, the dating site confirmed that Check Point had shared the information with them before anyone had been victimized by a similar attack, and that it had the problems fixed within 48 hours of being notified.

“We’re grateful to partners like Check Point who, with OkCupid, put the safety and privacy of our users first,” OKCupid said in a statement.