Hacker, 22, seeks LTR with your computer data: weaknesses entirely on popular dating app that is okCupid

The after screenshot shows an HTTP GET demand containing the ultimate XSS payload (part parameter):

The host replicates the payload delivered previous in the area parameter in addition to injected JavaScript code is performed within the context for the WebView.

A script file from the attacker’s server as mentioned before, the final XSS payload loads. The loaded code that is javaScript be properly used for exfiltration and account contains 3 functions:

  • steal_token – Steals users’ verification token, oauthAccessToken, in addition to users’ id, userid. Users’ sensitive information (PII), such as for instance current email address, is exfiltrated too.
  • steal_data – Steals users’ profile and personal data, preferences, users’ characteristics ( ag e.g. answers filled during registration), and much more.
  • Send_data_to_attacker – send the data collected in functions 1 and 2 to your attacker’s host.
  • steal_token function:

    The big event produces a call that is api the host. Users cookies that are provided for the host considering that the XSS fetlife alternatives payload is performed into the context associated with the application’s WebView.

    The host reacts by having A json that is vast the users’ id in addition to verification token too:

    Steal information function:

    The event creates an HTTP request to graphql endpoint.

    On the basis of the information exfiltrated within the steal_token function, the demand has been delivered with all the verification token additionally the user’s id.

    The host reacts with all the current information about the victim’s profile, including e-mail, intimate orientation, height, household status, etc.

    Forward information to attacker function:

    The event produces a POST request towards the attacker’s host containing all the details retrieved in the function that is previous (steal_token and steal_data functions).

    The after screenshot shows an HTTP POST demand provided for the attacker’s host. The demand human body contains all the victim’s information that is sensitive

    Performing actions with respect to the target can be feasible as a result of the exfiltration associated with the victim’s verification token and also the users’ id. These details can be used within the harmful JavaScript rule (in the same way used in the steal_data function).

    An assailant can perform actions such as forward messages and alter profile data as a result of the information exfiltrated into the function that is steal_token

  • Authentication token, oauthAccessToken, is employed when you look at the authorization header (bearer value).
  • Consumer id, userId, is added as required.
  • Note: An attacker cannot perform account that is full considering that the snacks are protected with HTTPOnly.

    the information and knowledge exfiltrated within the steal_token function:

  • Authentication token, oauthAccessToken, is employed within the authorization header (bearer value).
  • User id, userId, is added as needed.
  • Note: An attacker cannot perform account that is full because the snacks are protected with HTTPOnly.

    Online System Vulnerabilities Mis-configured Cross-Origin Resource Sharing Policy Results In Sensitive Information Publicity

    For the duration of the study, we now have unearthed that the CORS policy of the API host api.OkCupid.com just isn’t configured precisely and any beginning can deliver demands towards the host and read its responses that are. The request that is following a demand delivered the API host through the beginning :

    The server will not correctly validate the foundation and reacts aided by the required information. More over, the host reaction contains Access-Control-Allow-Origin: and Access-Control-Allow-Credentials: real headers:

    As of this true point on, we recognized that people can send requests to your API host from our domain without having to be obstructed by the CORS policy.

    The moment a target is authenticated on OkCupid browsing and application to your attacker’s internet application , an HTTP GET demand is delivered to containing the victim’s snacks. The server’s reaction includes a vast json, containing the victim’s verification token (oauth_accesstoken) and also the victim’s user_id.

    We’re able to find much more of good use information in the bootstrap API endpoint – sensitive and painful API endpoints within the API host:

    The screenshot that is following sensitive and painful PII data exfiltration from the /profile/ API endpoint, with the victim’s user_id and also the access_token:

    The after screenshot shows exfiltration for the victim’s communications through the /1/messages/ API endpoint, utilizing the victim’s user_id while the access_token:


    The entire world of online-dating apps has continued to develop quickly over the years, and matured to where it is at today using the transformation to a electronic globe, particularly in the past 6 months – considering that the outbreak of around the world. The “new normal” behaviors such as for instance as “social distancing” have actually pressed the dating globe to entidepend depend on electronic tools for support.

    The study provided right right here shows the potential risks connected with one of several longest-established & most popular apps in its sector. The serious dependence on privacy and information protection becomes a lot more essential whenever a great deal personal and intimate information being stored, handled and analyzed within an software. The software and platform is made to create individuals together, but needless to say where individuals get, crooks follows, in search of simple pickings.

    0 replies

    Leave a Reply

    Want to join the discussion?
    Feel free to contribute!

    Leave a Reply

    Your email address will not be published. Required fields are marked *