Contributed by: ElyseRomano Tuesday, March 05 2019 @ 09:10 am
February might be the season of love, but recent reports of hacking incidents may have you thinking twice before opening your favorite dating app. OkCupid is the subject of not one but two such stories - first a report[*1] revealing the dating site has denied a data breach despite multiple users’ claims of their accounts being hacked and stolen, and now the discovery of a security flaw from Israel-based cybersecurity firm Checkmarx.
According to researchers at Checkmarx, a vulnerability in the Android version of OkCupid’s mobile app could have exposed users to attacks of varying severity from cybercriminals. Bad actors could exploit the flaw to monitor usage of the app, read messages, track a user’s geographic location, send links with self-replicating malware or impersonate the victim.
“The disruptive potential of this attack is frightening as it is not hard to implement, it is not easy to detect by a typical user, and has high confidentiality, high integrity and high availability impact,” said researchers in a post explaining the potential impact of the flaw.
Here’s where it gets technical. The OkCupid app is a hybrid app that uses an outside browser, such as Chrome or Firefox, bundled inside the mobile application (called a “WebView”) to handle external content. Most links passed to the OkCupid app are opened by the browser, but some, called “MagicLinks” by OkCupid, are opened within the app’s WebView. Any link that contains “/l/” is processed as a MagicLink and opened inside the app.
An attacker could create a malicious page with a URL containing /l/ and send it to an unsuspecting OkCupid user. The page could perfectly emulate OkCupid’s login page, for example, and trick the user into providing their username and password. The attacker would then have access to the user’s account and any personal information contained therein. A more devious cybercriminal could exploit the same vulnerability to create a self-propagating malware that could put the entire OkCupid user base at risk.
“Users are used to somewhat suspecting links that arrive by email or messaging apps, but there is false confidence in links that are sent as internal messages in apps,” Erez Yalon, head of security research at Checkmarx, told Threatpost[*2] . “Awareness should be raised toward that kind of attack. Unfortunately, in this case, the attack would be very hard to identify by an unsuspecting user, so the responsibility of protection is on the vendor.”
Yalon confirmed that the problem has been fixed in the Android app. The same security issue reportedly did not affect the iOS and mobile web versions of the platform. OkCupid users should update to the most current version of the app as soon as possible, and remember to be cautious about sharing any personal information through an app or website.
For more on this dating service you can read our OkCupid review.