Check Point recently identified and helped mitigate several security flaws on OkCupid’s website and mobile app. If exploited, the vulnerabilities would have allowed a hacker to access and steal the private data of OkCupid users, and send messages from their account without users’ knowledge.
Launched in 2004, OkCupid is now one of the leading free online dating services globally with over 50 million registered users and used in 110 countries. In 2019, 91 million connections were made via the site annually, with an average of 50,000 dates arranged every week. During the Covid-19 pandemic, OkCupid has seen a 20% increase in conversations. However, the detailed personal information submitted by users also makes online dating services targets for threat actors, either for targeted attacks, or for selling on to other hackers.
Check Point researchers demonstrated that the vulnerabilities in OkCupid’s app and website could give a hacker access to a user’s full profile details, private messages, sexual orientation, personal addresses, and all submitted answers to OkCupid’s profiling questions. The flaws would also have enabled the hacker to manipulate the target user’s profile data and send new messages to other users from their account – enabling the hacker to impersonate the real user for further fraudulent or malicious activities.
Researchers detailed the three-step attack method which would have enabled a hacker to target users:
- The hacker generates a malicious link containing a targeted payload that initiates the attack
- The hacker sends the link to the intended target, or publishes it in a public forum for users to click on
- Once the victim clicks the link to open it, the malicious code is executed, giving the hacker access to the target’s account
Oded Vanunu, Head of Products Vulnerability Research at Check Point, said: “Our research into OkCupid, which is one of the most popular dating platforms, has raised some serious questions over the security of all dating apps and websites. We demonstrated that users’ private details, messages and photos could be accessed and manipulated by a hacker, so every developer and user of a dating app should pause to reflect on the levels of security around the intimate details and images that they host and share on these platforms. Thankfully, OkCupid responded to our findings immediately and responsibly to mitigate these vulnerabilities on their mobile app and website.”
Check Point researchers responsibly disclosed their findings to OkCupid. OkCupid acknowledged and fixed the security flaws in its servers, so users do not need to take any action.
Following the disclosure and fixing of the vulnerabilities, OkCupid issued this statement: “Check Point Research informed OkCupid developers about the vulnerabilities exposed in this research and a solution was responsibly deployed to ensure its users can safely continue using the OkCupid app. Not a single user was impacted by the potential vulnerability on OkCupid, and we were able to fix it within 48 hours. We’re grateful to partners like Check Point who with OkCupid, put the safety and privacy of our users first.”
For details of the vulnerabilities and a video showing how they could be exploited, visit https://research.checkpoint.com