OkCupid app known as a popular dating platform has over 50 million registered users.
Dating apps have for long been used as a replacement for the effort one may need to exert out in the physical world to find a suitable match. Naturally, this makes it a collection space for personal user details and preferences attracting malicious actors who may want to leverage such information to their advantage.
Therefore, it is important for the developers of such apps to take great precautions in guarding their data. In line with this spirit, recently Checkpoint researchers went on to inspect a dating app named OkCupid amongst which they found several vulnerabilities.
The vulnerabilities if exploited would have exposed user data including their stated characteristics, pictures, and other details. This would have opened many people to the possibility of being blackmailed and even cyberbullied.
Secondly, the user IDs, authentication tokens, and email addresses could also have been accessed allowing an attacker to not only illegally control user accounts and perform unauthorized actions but also conduct targeted phishing campaigns outside of the platform.
Once this data had been gathered, then the attacker could have sent it to their own server limiting any mitigatory effects even if the breach had been discovered.
Coming to the technical details, according to Check Point’s blog post, these flaws were found by reverse-engineering the Android application of the company and then moving on to various other parts involved in the equation. An example is of the domain of the site which was found susceptible to a Cross-Site Scripting (XSS) attack leading to subsequent realizations of the different flaws at bay.
Regardless, to conclude, no actual users were harmed which is what matters foremost. Furthermore, according to OkCupid, all these flaws were fixed within 48 hours. A takeaway from this is that it is important companies themselves also employ independent pen-testing units in order to identify vulnerabilities before the attackers do.
Additionally, to benefit from third party white hat testers who these companies haven’t hired, a bug bounty program serves as an excellent incentive.