OkCupid, one of the world’s most popular online dating services, has been left vulnerable to the threat of hacking as a result of several security flaws.
Researchers at cybersecurity firm Check Point discovered a range of dangerous flaws in the website and mobile app of the online dating service, which is used by more than 50 million people globally.
Data on daters
By leveraging these vulnerabilities, a hacker would have been able to view personal information such as full profiles, messages, email addresses, sexual orientation and other details that users input as part of OkCupid’s profiling process.
The flaws would have also allowed a cybercrook to conduct myriad hostile actions, like “manipulating user profile data and sending messages” from a users’ account — all without them knowing.
Check Point explained that a hacker could do these things by injecting malicious code into the back end of the OkCupid website and mobile apps.
Simple steps
As part of this process, the hacker would have had to create a “single, malicious link” that would be distributed to users of the online dating service.
A successful breach would have been a case of following three relatively simple steps, which are as follows:
- Threat actor generates a link containing a payload that initiates the attack
- Threat actor sends the link to the victim, or publishes it in a public forum
- Once the victim touches or clicks the link, the malicious code is executed, resulting in data exfiltration
Check Point said this attack “enables an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user’s data”.
Oded Vanunu, head of products vulnerability research at Check Point, said: “Our research into OKCupid, which is one of the longest-standing and most popular applications in their sector, has led us to raise some serious questions over the security of dating apps.
“The fundamental questions being: how safe are my intimate details on the application? How easily can someone I don’t know access my most private photos, messages and details? We’ve learned that dating apps can be far from safe.
“Every maker and user of a dating app should pause for a moment to reflect on what more can be done around security, especially as we enter what could be an imminent cyber pandemic. Applications with sensitive personal information, like a dating app, have proven to be targets of hackers, hence the critical importance of securing them.”
Taking action
Since discovering the flaws, Check Point researchers have reported them to OKCupid and the dating site has issued fixes.
OKCupid said: “Check Point Research informed OkCupid developers about the vulnerabilities exposed in this research and a solution was responsibly deployed to ensure its users can safely continue using the OkCupid app.
“Not a single user was impacted by the potential vulnerability on OkCupid, and we were able to fix it within 48 hours. We’re grateful to partners like Check Point who with OkCupid put the safety and privacy of our users first.”
This isn’t the first time that a dating website has been breached and seen user data put at the mercy of threat actors.
To stay one step ahead of cybercrooks, you should generate strong passwords, ask yourself if you’re potentially sharing too much personal information online, only use reputable apps and download an antivirus solution.
- More: Stay anonymous without the spend with a cheap VPN
