Researchers at cyber security firm Check Point have raised serious security questions on dating apps OKCupid. The researchers have proved that potential threat actors could have had access to sensitive, private data – full profile details, private messages and email addresses. OkCupid, is a free online dating app with over 50 million registered users and used in 110 countries.
Researchers at Check Point identified several security flaws on OKCupid’s website and mobile app. Through the vulnerabilities found on OKCupid’s web and mobile platforms, Check Point researchers proved that a threat actor could have stolen the private data of an OKCupid user.
“Our research into OKCupid, which is one of the longest-standing and most popular applications in their sector, has led us to raise some serious questions over the security of dating apps. The fundamental questions being: how safe are my intimate details on the application? How easily can someone I don’t know access my most private photos, messages and details? We’ve learned that dating apps can be far from safe,” said Oded Vanunu, head of products Vulnerability Research at Check Point.
Full profile details, private messages, sexual orientation, personal addresses, and all submitted answers to OKCupid’s profiling questions were accessible to a potential threat actor. Also, Check Point researchers showcased that a threat actor could perform malicious actions, such as manipulating user profile data and sending messages, on behalf of a victim, without that user’s knowledge.
To carry out the attack, a threat actor would execute malicious code into OkCupid web and mobile pages by generating a single, malicious link to send users. Check Point researchers outlined the attack method in three steps. Once the victim clicks the link, the malicious code is executed, resulting in data exfiltration. The attack ultimately enables an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user’s data.