Critical OkCupid Flaw Exposes Daters to App Takeovers

OkCupid security vulnerability

The flaw is only one of many romance-related security issues as bad actors take advantage of Valentine’s Day.

A critical flaw in the OkCupid app has been found that could allow a bad actor to steal credentials, launch man-in-the-middle attacks or completely compromise the victim’s application.

This is separate from the OKCupid account-takeover incident reported earlier in the week, but it does fit the theme of Valentine’s Day, when cybercriminals turn their sights to romance-seekers leading up to the holiday (see below for more on that).

The newly disclosed vulnerability is incredibly easy to exploit, and yet has serious consequences: Attackers can monitor the app’s usage, read all messages and even track the victim’s geographic location, researchers with Checkmarx, who discovered the flaw, said on Thursday.

In the most dire scenario, the flaw could allow bad actors to send daters malicious links with self-replicating malware: “The disruptive potential of this attack is frightening as it is not hard to implement, it is not easy to detect by a typical user, and has high ​confidentiality​, high integrity​ and high ​availability​ impact,” said researchers in a post detailing a proof of concept (PoC) attack for the flaw.

Users should, of course, update their app as soon as possible.

The vulnerability exists in OkCupid’s Android app, which uses a “WebView,” i.e., a browser bundled inside of a mobile application. This produces what is called a hybrid app.

In order to avoid handling external content, nearly every link that is passed to the OkCupid app is opened and handled by the associated browser (including Chrome, Firefox, etc.). However, some URLs are defined by OkCupid as MagicLinks, which are opened and rendered within the app’s WebView.

okcupid critical flaw

Click to Expand.

The flaw arises from the fact that any ​link containing a specific string, “/l/”, will pass as a MagicLink.

That means that bad actors could send app users ​URLs that contain “/l/” and, because it opens within the app, few users would suspect that the links are malicious, researchers said.

“Users are used to somewhat suspecting links that arrive by email or messaging apps, but there is false confidence in links that are sent as internal messages in apps,” Erez Yalon, head of security research at Checkmarx, told Threatpost. “Awareness should be raised toward that kind of attack. Unfortunately, in this case, the attack would be very hard to identify by an unsuspecting user, so the responsibility of protection is on the vendor.”

The vulnerability does not have a CVE number; regarding CVSS score, Yalon told Threatpost the bug “is critical (maybe even maximal) since it is not hard to implement.”

Researchers said that they reached out to OkCupid on Nov. 15. A fix to the application was released Jan. 4, and researchers stressed that users should update as soon as possible.

At the most simple level, this flaw sets up the perfect attack vector for phishing techniques, researchers said​. An attacker could very simply create a page with a URL containing /l/, and send it to an unsuspecting victim as an internal OkCupid message.

“In the attack we crafted, the web page simulates a user login page with the OkCupid look and feel, inside the OkCupid application,” researchers at Checkmarx said. “The user is tricked into providing his credentials; he has no reason to suspect that it is not a legitimate request. These credentials are then sent to the attacker.”

In that situation, an attacker would be able to collect a slew of information – including email address, name, gender, date of birth, country and ZIP code. But they could also potentially gain access to more personal data – including the age range and gender of people who the victim is interested in dating.

However, the vulnerability also exposes daters to several much more damaging attacks.

okcupid vulnerability scam

Click to Expand.

By sending victims a crafted link to a malicious page, researchers found that they were able to change the app’s interaction URL base from ​https://api.okcupid[.]com​ ​to their own controlled HTTP page​ (“http://192.168.0.237:4444”). That ultimately changes the API endpoint to an attacker-controlled address.

That means the attacker now permanently controls the flow of information between the victim and the API server, allowing them to launch man-in-the-middle attacks, where an attacker secretly intercepts communication between two parties.

“With this elevated control, the attacker can now impersonate the victim, monitor the app’s usage, read all messages and even track the victim’s geographic location,” researchers said.

And, in the worst case scenario, the attack could spread as a self-propagating malware which, after infecting one victim, would send the malicious link to all the victim’s OkCupid contacts as an innocent-looking internal OkCupid message.

“From the vulnerabilities described above, it’s only a short technical leap to creating a self-replicating worm,” researchers said. “This kind of attack could put the entire OkCupid user base at risk. Since the app continues to behave normally after the infection, the users have no reason to suspect that anything has gone wrong. Any attack outlined above could be replicated in scale, impacting all infected users.”

Earlier this week, OKCupid denied a data breach after reports surfaced of users complaining that their accounts were hacked.

Users said that attackers had logged into their accounts and then changed the email addresses and passwords on file, thus locking them out of the accounts and making it nearly impossible to regain control of them.

While password reuse and using easy-to-guess passwords often make cracking accounts like these fairly easy using credential-stuffing/brute-forcing, several users said they were using strong credentials, unique to the site. That would imply some kind of data breach or exposure by OKCupid – but that’s a conclusion that it says is unwarranted.

“There has been no security breach at OkCupid,” Natalie Sawyer, a spokesperson for OkCupid, said in a media statement to TechCrunch. “All websites constantly experience account takeover attempts. There has been no increase in account takeovers on OkCupid.”

Checkmarx researchers confirmed with Threatpost that this security incident is separate from the flaw outlined in their research.

It’s not the first dating app to face security issues: Researchers last year said they discovered a pair of vulnerabilities in the Tinder Android and iOS dating applications that could allow an attacker to snoop on user activity and manipulate content, compromising user privacy and putting them at risk.

OkCupid isn’t the only love-related security threat making waves this Valentine’s Day.

In a new advisory published on Tuesday, the Federal Trade Commission warned that reports of internet romance scams are rising as cyber criminals gain the confidence of their victims and trick them into sending money.

Last year, people reported losing $143 million to romance scams – a higher total than for any other type of scam reported, according to the FTC.

In December, for instance, a sextortion ring that aimed “catfish” efforts at U.S. military service members was been uncovered. The scam bilked 442 service members from the Army, Navy, Air Force and Marine Corps out of more than $560,000.

Scammers are targeting people on data apps and social media by luring them in with friendly conversation and then eventually asking for money, the FTC said.

“We’re talking about people you meet online, who lavish you with attention … and then ask for money,” said the FTC. “Usually they want the money by wire transfer or gift card. They might claim they need it for a medical emergency or to come visit you. Then they take your money, but there’s no surgery and no trip.”

Users can avoid these scams by using caution when online dating, and never send money or gifts to someone you have not met in person.

“Because of how personalized and detailed these attacks can be, it’s important that you always take things slowly and be very mindful of any potential online romance, especially if they start asking for money,” Nathan Wenzler, senior director of cybersecurity at Moss Adams said in an email. “Remember that it’s OK to say ‘no,’ and to be skeptical until you’ve met the person face-to-face and built a stronger trust relationship. After all, if that person truly is the one, they aren’t likely to put you in this kind of compromising situation in the first place.”

Suggested articles