Check Point researchers
raise serious security questions on dating apps after proving that potential
threat actors could have had access to sensitive, private data – full profile
details, private messages and email addresses – on OKCupid, the free online
dating app with over 50 million registered users and used in 110 countries.
· Researchers identify serious vulnerabilities on
OKCupid that allow a threat actor to masquerade as a user
· Full profile details, private messages, sexual
orientation, personal addresses, and all submitted answers to OKCupid’s
profiling questions were accessible to a potential threat actor
· A threat actor could also have performed malicious actions, such as
manipulating user profile data and sending messages, on behalf of a victim,
without that user’s knowledge
Researchers at Check Point
identified several security flaws on OKCupid’s website and mobile
app. Through the vulnerabilities found on OKCupid’s web and mobile
platforms, Check Point researchers proved that a threat actor could have stolen
the private data of an OKCupid user. Full profile details, private messages,
sexual orientation, personal addresses, and all submitted answers to OKCupid’s
profiling questions were accessible to a potential threat actor, until Check
Point Researchers responsibly disclosed the security flaws. In addition, Check
Point researchers proved that a threat actor could perform malicious actions,
such as manipulating user profile data and sending messages, on behalf of a
victim, without that user’s knowledge.
A Single, Malicious
Link
To carry out the attack, a
threat actor would execute malicious code into OkCupid web and mobile pages by
generating a single, malicious link to send users. Check Point researchers
outlined the attack method in three steps:
1. Threat actor generates a link
containing a payload that initiates the attack
2. Threat actor sends the link to
the victim, or publishes it in a public forum
3. Once the victim touches or clicks the
link, the malicious code is executed, resulting in data exfiltration
The attack ultimately enables
an attacker to masquerade as a victim user, to carry out any actions that the
user is able to perform, and to access any of the user's data.
Quote: Oded Vanunu, Head
of Products Vulnerability Research at Check Point:
“Our research into OKCupid,
which is one of the longest-standing and most popular applications in their
sector, has led us to raise some serious questions over the security of dating
apps. The fundamental questions being: how safe are my intimate details on the application?
How easily can someone I don’t know access my most private photos, messages and
details? We’ve learned that dating apps can be far from safe. Every maker and
user of a dating app should pause for a moment to reflect on what more can be
done around security, especially as we enter what could be an imminent cyber
pandemic. Applications with sensitive personal information, like a dating app,
have proven to be targets of hackers, hence the critical importance of securing
them.”
Responsible Disclosure:
Check Point researchers
responsibly disclosed their findings to OKCupid. OkCupid acknowledged and fixed
the security flaws in their servers. OKCupid has issued the following
statement: “Check Point Research informed OkCupid developers about the
vulnerabilities exposed in this research and a solution was responsibly
deployed to ensure its users can safely continue using the OkCupid app. Not a
single user was impacted by the potential vulnerability on OkCupid, and we were
able to fix it within 48 hours. We're grateful to partners like Check Point who
with OkCupid, put the safety and privacy of our users first”
OKCupid by the Numbers:
·OkCupid app has been downloaded
over 10 million times on Google Play. (2019. Source)
·It has been roughly estimated
that OkCupid has had 50 million users since they launched (2019. Source)
·During the coronavirus pandemic,
OkCupid has seen a 20% increase in conversations and a 10% increase in
matches worldwide (2020. Source)
·In 2020, OkCupid has seen a 30%
increase in messages.(2020. Source)
·91 million connections were made
on OkCupid in 2019 (2019. Source)
·50 thousand dates are made every
week (2019. Source)